Managed Security has three components – non admin configuration, software restriction policies and end point security – which work together to help protect IT environments from Internet-based threats.
Non Admin Configuration – After tabulating all the vulnerabilities published in Microsoft, it turns out 90 percent of the vulnerabilities can be mitigated by configuring users to operate without administrator rights. The two biggest exploited Microsoft applications also fare well: 100 percent of Microsoft Office flaws and 94 percent of Internet Explorer fl aws (and 100 percent of Edge fl aws) no longer work when administrative rights are removed from a computer!
We believe that running users as standard users is good for business, the ecosystem, and all users (even I, a network administrator, do not run as admin on any of my computers) Configuring users as standard users enables parents to more securely share family computers with their children and enterprise administrators to configure standard user accounts for staff lowering TCO and
improving security. IT pros likely know the benefits of reduced system access across wide swaths of workers, but for those setting up a shared family computer, or helping out a very virus-prone friend or relative, it’s worth keeping in mind. You’ll get occasional phone calls and emails when someone needs to update or install a program or plug-in, but it spares you a lot of grief down
Setting someone up with a limited account doesn’t mean they can’t have a Local Administrator account – if this meets with corporate compliance – just make sure they understand that the limited account is for everyday use, and the Administrator account is ONLY for installing programs they know are safe. Using the least amount of privilege for the task you need to accomplish is always
a good idea, regardless of how computer savvy you are.
Most malware, spyware & similar threats will prompt the user with some message, often misleading – like – ‘Warning: you are running on a computer that has no Antivirus software (even though you do have antivirus software installed) and click here to fix this problem. Inevitably a large percentage of staff will click on messages like this (even the X box in the top corner of a pop up box like this can direct you to a place that isn’t so nice) and if you are running as an admin you can be infected by something ‘nasty’ – if you are not an admin, which means you do not have the access rights to make major system changes or software installs, it’s very likely that the ‘nasty’ also cannot make major system changes or install software.
Computer virus, cryptolockers, worms, trojan horses, spyware, adware, scareware – all types of malware have plagued all our “computer lives” for many many years. Over the last few years though we have had to contend with a new type of security threat, most likely the worst type yet – Ransomware. I am sure many of you would have read in the press the many many people and
businesses affected by ransomware – FBI, Russians, Edward Snowden etc. For those of you that haven’t – here is a short definition taken from Wikipedia:
“Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading, or opening when it arrives as an email attachment. However, one high-profile example, the “WannaCry worm”, traveled automatically between computers without user interaction.”
The rules of “if you don’t open an attachment, or click on links means you are safe” – are also no longer true. E.g. we now see on social networking over the last week a crypto attack in social comments that even if you simply hover your mouse over something you will execute ransomware. The same has been seen over the last week with Microsoft PowerPoint files.
The bad guys have gotten smarter. For example, not only have they worked out how to make a program execute on your computer without the need for you to click on anything, they have also worked out how to get around you having no admin rights to your computer. They now will simply run or install or execute the “nasty” program in your profile, which you do have full admin rights over, and from there any folders and files on the network that you have permissions to will be encrypted and you will then be up for a paid ransom! Of course, we do backup all servers hourly 24×7 – so you will only ever lose worst case up to 59 minutes of work – but the downtime can be costly.
Software Restriction Policies – So with all the above in mind, in order to counteract ransomware/malware, we need to look to entirely diff erent security strategies. An important component of
such a strategy is now the implementation of a Microsoft technology called Software Restriction Policies (Or SRP’s for short)
In essence, a Software Policy lays down rules about where on a computer’s hard disk programs can be run from. Thus, for example, programs in ‘Program Files’ will be given the OK, but programs in ‘Downloads’ will not (only an administrator can install programs to ‘Program Files’) Since this defensive mechanism does not rely on identifying a given program as malicious, it
is in principle effective against all strains of malware. E.g. it doesn’t matter if your AntiVirus software knows about the problem or not, which is important in zero day attacks.
An SRP has other advantages besides hardening the computer against malware. For example, it allows us to control the launching of programs from USB key or DVD, other routes by which unwanted software may find its way onto your computer.
We whitelist all of the known genuine software on your network so these are allowed to run as normal. Should any program outside this whitelist attempt to run, it will be blocked and the user will be asked to contact the Administrator for assistance in installing. This allows us to ensure only genuine business software is installed and blocks harmful or malicious software.