As a core requirement of the new code, least privilege

Avecto | Bitesize Article
How to Simply
Achieve PSN
Compliance
Russell Smith, author of ‘Least Privilege
Security for Windows 7, Vista and XP’.
The PSN Code of Practice includes
In this bite size article,
Russell Smith provides a
quick and easy step-by-step
guide to ticking the box of
PSN Compliance to satisfy
your audit requirements.
configuration controls that require
government departments to:
L ockdown software according to policy,
and assign the minimum privileges
required to use a PSN service
P
revent the execution of unauthorized
As a core requirement
of the new code, least privilege
security is the practice of
assigning only the permissions
users require to perform
their roles.
software
Prevent
unauthorized changes to the
Russell Smith
standard build of network device
direct access to IT support, as is increasingly
In November 2012, the UK government
Ensure
that users give permission before
the case with many local authorities and
Public Services Network (PSN) Code of
active content can be executed.
government departments which prefer to
issue notebooks to facilitate mobile working.
Practice replaced the Government Secure
Intranet Code of Connection (GSi CoCo).
Based on ISO 27001, the new code is
Step 1
Lockdown Policy and Least
Legacy applications often fail to run without
Privilege Security
administrative permissions, applications
outcome based so that government
Least privilege security and OS lockdown
cannot be patched manually, hardware with
departments can comply how they see
can be achieved by removing administrative
unsigned drivers cannot be installed, and
fit, rather than check a list of technical
permissions from end users. Least privilege
some Windows features cannot be run.
requirements.
can also be achieved by using Protected
Administrator (PA) accounts in Windows
Microsoft’s Application Compatibility Toolkit
The Requirements
Vista and later, but neither of these solutions
(ACT) can be used to deploy compatibility
As a core requirement of the new code, least
can fully satisfy the PSN requirements.
shims that solve some of the issues
privilege security is the practice of assigning
Protected Administrator accounts offer some
encountered with legacy applications
only the permissions users require to
protection by removing administrative
running under standard user accounts.
perform their roles. Though least privilege
privileges from end users most of the time,
However, compatibility shims require testing
security is widely accepted as best practice,
but Windows User Account Control (UAC)
and development time, and cannot be used
Windows users often work with full
doesn’t provide any centralized policy-based
to solve privilege-related issues on the fly.
administrative rights because of the
control of how elevated privileges are used.
Avecto Privilege Guard enables government
difficulties associated with running legacy
applications, adding new hardware and
There are many scenarios where removing
departments to overcome the limitations of
working with some Windows features under
administrative rights can prove problematic
Windows privilege management to set
a standard user account.
for end users, especially where there is no
sophisticated policies that modify the
privileges of running processes. Applications,
Windows XP Software Restriction Policy
Windows features, Windows Store Apps
(SRP) provides basic application whitelisting
(previously Metro apps), scripts, batch files,
functionality but has never been widely
and ActiveX Controls can all be launched
adopted as it is considered difficult to deploy
with a unique set of assigned rights,
and manage. Windows Vista introduced a
without giving users administrator accounts.
new technology called AppLocker, which
Privilege Guard can be deployed and
considerably reduces the effort required to
managed using Active Directory Group
implement and manage application
Policy or McAfee ePolicy Orchestrator.
whitelisting. Windows 8 updates AppLocker
Avecto Privilege Guard
allows IT to quickly and easily
implement least privilege and
comply with the PSN code
requirements, without the
limitations usually associated
with standard user accounts.
to support Windows Modern UI (previously
Whilst Microsoft modified UAC in Windows 7
Metro) apps.
Russell Smith
to minimize the number of prompts users
see when running as a Protected
Privilege Guard’s application whitelisting
PSN compliance with Avecto Privilege Guard
Administrator, standard users will continue to
feature offers IT several advantages over
Vista and later versions of Windows offer
be confronted by these UAC prompts,
AppLocker. Not only does Privilege Guard
basic functionality that makes working with
generated by Explorer from applications
have more flexible creation of rules to match
standard user accounts more realistic, but
using Component Object Model (COM).
authorized software, it provides a unified
features such as Protected Administrator
Privilege Guard’s auditing feature can be
system for all supported versions of Windows
accounts and UAC elevation prompts don’t
used to eliminate generic UAC prompts and
and a means to monitor the software run on
provide enough control for government
either replace them with informative,
a network and the privileges in use. These
departments to comply with the PSN code
branded messaging or silently elevate
features combine to increase the prospect of
whilst ensuring that users have the flexibility
processes so that users can continue
a successful application whitelisting project,
required to perform their roles effectively.
working without contacting IT. The difficulties
and reduce costs with simplified management.
Avecto Privilege Guard allows IT to quickly
and easily implement least privilege and
of supporting notebook users when away
from the office has traditionally been a block
to the adoption of least privilege security.
Step 3
Dealing with Active
comply with the PSN code requirements,
Content
without the limitations usually associated
For example, notebook users don’t always
The ActiveX Installer Service (AxIS) was
with standard user accounts. Privilege Guard
have connection to the network but may
introduced in Windows Vista and provides
allows government departments to
need to perform an operation that is blocked
on demand installation of per-machine
implement security best practices while
by policy. The challenge/response
ActiveX Controls, using elevated privileges
ensuring that authorized changes can be
authorization feature in Privilege Guard
on the user’s behalf. The concept of per-user
actioned in a timely manner, even for remote
provides a mechanism that allows IT to
ActiveX Controls was also introduced,
users without network connectivity.
respond in situations where policy can’t be
allowing IT to package in-house controls so
updated, giving government departments
that they can be installed by standard users.
About the Author
confidence that they can meet users’ needs
The Windows ActiveX Installer Service limits
Russell Smith is the author
in any situation.
IT to specifying trusted host URLs from
of Least Privilege Security
which users are able to install all available
for Windows 7, Vista and XP
Remove Admin Rights
controls. So for example, if Adobe is listed
Application whitelisting is a
in policy as a trusted host URL, users can
includes details about the applications of
technology that blocks the execution of
install Flash, Shockwave and any other
Avecto’s Privilege Guard software for
software not listed in a centrally defined
controls Adobe publishes. AxIS can’t be
Windows least privilege management. Smith
policy. Removing administrative privileges
restricted to the installation of specific
is also contributing editor for Microsoft Best
from end users is not enough to block all
ActiveX Controls from a given host.
Practices at CDW’s Biztech magazine and a
Step 2
published by PACKT, which
regular contributor to leading industry journal
unauthorized software, as a lot of applications
are packaged to install to user profiles
Avecto Privilege Guard allows IT to define
Windows IT Pro. He holds a diploma of
(sometimes referred to as portable
exactly which controls can be installed, and
higher education from the University of
applications), rather than the protected
in conjunction with Privilege Guard’s
London and is a Microsoft Certified Systems
Program Files folder and restricted parts of
challenge/response authorization feature,
Engineer (MCSE). With over 10 years
the system registry. Additionally, application
IT can quickly allow users to install controls
experience securing and managing Windows
whitelisting enables government
that are not defined in policy. Other active
Server systems for Fortune Global 500
departments to be sure that only authorized
content, such as scripts and batch files can
companies and small to mid-size enterprises,
scripts, batch files and other types of active
also be allowed or blocked at a granular level.
Smith is also an experienced trainer.
content can run.
Americas +1 978-703-4169
UK +44 (0)845 519 0114
info@avecto.com
Follow us on twitter
Americas 125 Cambridge Park Drive, Suite 301, Cambridge, MA 02140 USA
UK Hobart House, 3 Oakwater Avenue, Cheadle Royal BusinessPark, Cheadle SK8 3SR UK
www.avecto.com
Follow us on Google+