Locking Down Systems – Preventing Change

Restricting user and administrator ability to change system configuration to minimise management costs and the security attack surface has been a standard desktop management best practice for over 10 years.

In addition to the general desktop population most organisations have a set of mission critical systems that cannot be patched as regularly as standard desktops due to reliability, availability or system integrity concerns. These systems still need to be protected between patch cycles. Low powered systems, such as POS or ATM systems, do not have the resources to handle the footprint associated with multiple security products.

Regardless of the environment a level of standardisation, or lockdown, must be maintained to keep security risk at an acceptable level. Every change to the system changes the configuration and presents the risk that the machine will be unstable or introduce a new attack path.

The cost of not locking down systems is significant. The cost of technical support for a standard user is 24% less than for a user with administrator rights. Locking down systems reduces overall TCO by more than 35% (Source: Gartner).

VigilancePro® supports a multi-tiered lockdown strategy with rules and policies applied by user and by system. Different levels of lockdown can be applied based on user role and need, and by system type and role.

Hardware and OS Changes

VigilancePro tracks all hardware changes on a system as well as all modifications to the operating system. Every system update is monitored and logged, or prevented.

File and Folder Protection

VigilancePro can track all changes to files in any folder, as well as to prevent changes to critical data. File open, modify, create, rename, and delete events are tracked across the infrastructure with full reporting, alerting, dashboarding and integration with other consoles or SIM/SEM solutions. Full information on exactly which user performed which function from within which application is provided to give full 360 degree visibility of user activity.

Application Control

VigilancePro enables organisations to comprehensively control applications supporting full black and white listing as well as providing the ability to block the use of specific application functions by users. Only white listed applications can run, all other executable code (including scripts and macros) is blocked. The priority of AV scanning can be downgraded on mission-critical systems.

Application Shaping

VigilancePro goes beyond basic black and white application control.

Application functionality can be dynamically shaped based on contexts such as user, group, time, location, or a combination of attributes. Specific menu options, keyboard shortcuts, and buttons within applications can only be made available to certain users, during working hours, when connected to the internal network. Printing of sensitive documents may be disabled when users are connected remotely over a VPN.

Cut, Copy, Paste, File Save, Save As, Search, Import, Export, Print – as well as the use of keys such as PrtSc can be disabled. Even if a user is authorised to open a particular file the copying of content - or ability to save a file to a different location such as a local hard drive or USB stick - is prevented.

With users increasingly given local administrator rights on mobile PCs due to operational and support challenges, access to mmc.exe or the command prompt, or the ability to change proxy settings using the LAN Settings button within Internet Explorer can still be restricted – as well as the ability to install new software.

Flexible dynamic application control enables organisations to both secure and facilitate approved information flows whilst limiting the data leakage vectors available to users.

Solution Highlights:

  • Full management of all software changes
    • white list approved applications, black list those that represent risk or require administrator rights
    • only allow very specific versions of white listed applications (through hashing the EXE)
    • nothing else can run (scripts, macros, etc) – protecting system state
    • reduce patching on mission-critical systems
  •  Full management of all hardware changes (next generation device control)
  • Full write, read/copy protection of files and folders
  • Hide or destroy documents as threat levels increase
  • Windows registry and event log watchers
  • Prevent tampering of log files
  • Complete audit trail of all configuration changes
  • Real-time SMS and email alerts to critical changes, or change attempts