The Pro’s and Con’s of System Lockdown
By Rodney Buike
Locking down desktops is becoming more and more prevalent in today’s corporate environment. Malware, viruses, malicious users and laws like SarbOx are putting the pressure on IT staff to remove users as local admin’s and lockdown systems. In order for this to be successful administrators need a delivery mechanism to install software and hot fixes to user machines.
In many corporate environments, users are required to install their own software and patches. While this may reduce the load on the IT staff, the ability for users to download applications off the ‘net, including viruses, Malware and other suspect software will increase the load. Certifying software to be used, locking down and automating software installation and patch management shifts the role of the IT staff; however the load should remain the same. With a proper infrastructure in place you can even reduce the workload on the IT department by implementing such a scheme. Applications such as WSUS and SMS make it easier for IT staff to implement and manage this.
Of course there are certain users with specific, non-certified software that they require. In these cases, the IT staff can install the app. By doing it this way you accomplish two things, first you know what apps are installed on their machines and second they can be tested in your environment to ensure they don’t mess up any other applications. How many times have you installed a piece of software only to find out it renders another useless? By having the IT staff test the application they get some sense of how it works so when the user calls they have some clue as to what the user is trying to do, and you can ensure that the program does not conflict with other applications. This system allows you to configure a basic desktop setup for all users with a general set of applications and then add the required functionality on a per-user/per-need basis.
All this is fine for local users, but becomes increasingly difficult with remote users. Remote users introduce a whole slew of issues. First they usually have to be local admin’s, or have access to a local admin account on their PC. This enables them to manage the software installation and hot fix installation on their own. Unfortunately they are usually not as vigilant in this task. This leads to an entry way for viruses, worms and Malware on to your corporate network when the do arrive at the office or connect remotely via VPN. There are solutions to this, including the Remote Access Quarantine feature in Windows Server 2003 SP1. Quarantines work great for ensuring that remote users are up to date on their hot fixes, virus definitions and other security related updates however they do not lock down the workstation.
The biggest complaint will come from the users. Taking away a privilege they may have had for years won’t happen without a fight and lots of whining. In certain cases, their maybe employees who actually need elevated privileges to perform their day-to-day tasks. In order to accomplish this effectively you will need to define a standard IT policy that everyone must follow and set out some rules and procedures to give those who require elevated privileges the rights they need to complete their job efficiently.
Confused? Sound like a lot of work? Well it is, but in the end, once all is said and done and the last user tear has been wiped up, your IT staff should have the time work on the things that are real important, like finishing Quake 4!
Last year we had to uninstall 900+ unauthorized programs (1,200 users) due to the annual Sarbanes-Oxley audit for unauthorized software. We had been trying to implement a lockdown policy without much success. This was the event that did it. This year we had to uninstall less than 20 programs.
The biggest culprits were IT people who continued to give end users elevated privileges to "fix" some problem. We now scan for anyone with anything other than restricted user rights on a monthly basis and the IT person responsible for their computer has to fill in a report about how and why it happened.
We used to have spyware and adware problems continuously. It was not unusual for three or four computers to be shipped in weekly for cleanup (helping FedEx's profits to boot).
Now we don't have spyware and adware problems. We see maybe one computer a month and its always because someone was given elevated rights inappropriately. We don't buy or use anti-spyware or anti-adware progrms; we just don't need them.
The remote users were the biggest challenge. We now have a standard desktop printer and we pre-install the drivers in the image. All of them are restricted as well now (350 or so).
We no longer have the problem of them going into some other company and having their network settings modified. In one instance, they tried to disable the software firewall because it made our computer "invisible" on their network and they didn't like it.
In another instance, they didn't like our antivirus program so they uninstalled ours and installed theirs! We found this out quickly because our remote access system tests for our AV and it denied them access after that. :-)
I'd bet 90% of our users never even noticed it when they were switched to a restricted user. The managers of the complainers were quieted down when we sent them a list of all the Help Desk calls their people had over the past year, before and after lockdown.
After all, the computers are for them to get their company work done, and shipping them in for cleanup only interfers with their work for their manager.
There is a new article by me up on the Industry Insiders blog on The Pro's and Con's of System Lockdown.
Rodney Buike has written a thought provoking article about the challenges of locking down production systems whilst ensuring they still perform