[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Standard desktops, special needs
By Rutrell Yasin
Officials at Vandenberg Air Force Base, Calif., have found a way to
manage user privileges in an enterprise Windows environments while
adhering to requirements for a standard desktop PC configuration
mandated by the Air Force and the Office of Management and Budget.
The system lets users run specialized — but authorized — applications
not included in the standard configuration without undue intervention by
a system administrator.
OMB issued guidelines in March that require federal agencies to comply
with standard Windows XP and Vista security requirements by Feb. 1,
2008. Having preloaded, secure configurations of Windows software on
desktop PCs will let agencies tighten security and better manage desktop
The OMB requirements, based on similar initiatives by the Air Force,
will require agencies to restrict administrator rights on all desktop
computers. OMB is expanding on the work of the Air Force, Army, Defense
Information Systems Agency, National Institute of Standards and
Technology, National Security Agency and Homeland Security Department to
develop a standard Windows configuration.
Vandenberg started to comply with the Air Force’s standard desktop
configuration in January. Before the move, base officials knew they had
to develop a way to deploy desktop systems without administrative
privileges while allowing users to run or install all authorized
“Before this migration, there were certain groups of users that had
administrative privileges on their machine so they could run these
special applications,” said Mike De Bruin, senior systems engineer at RS
Information Systems, an on-site contractor at Vandenberg, who manages
user privileges for a squadron at the base.
The Air Force has many homegrown applications, he said. “You have your
standard apps like Microsoft Office, and there are a lot of customized
applications [that] required administrative privileges to run,” he said.
De Bruin’s squadron considered a couple of options before picking a
solution that would let him manage 500 users and 450 desktop PCs.
Currently, the standard desktop configuration environment is for Windows
XP Service Pack 2.
One workaround would have required someone with administrative rights to
log on to a user’s computer and then personally monitor the situation
while the user ran the application.
Another option would have required the administrator to log on to the
user’s computer from the administrative system and give the user rights
for one session.
The administrator would not have to stand at the user’s computer and
monitor activity, but every time the user needed to use the application,
the administrator would have to repeat the process, De Bruin said. If
the user needed access to the application several times a day, that
could become a cumbersome task.
One to many
Some squadrons on base are still opting for one of these scenarios. But
De Bruin found the answer to his administrative rights dilemma in
Privilege Manager software from BeyondTrust.
The squadron needed software that could work with Microsoft’s Group
Policy, a feature of Windows that helps the squadron achieve a standard
Group Policy and the Active Directory services infrastructure in Windows
Server 2003, for example, let IT administrators automate one-to-many
management of users and computers. Administrators can efficiently
implement security settings, enforce IT policies, and distribute
software consistently across a given site, domain or range of
Using Privilege Manager, administrators can download a small application
onto users’ desktops that integrates with Group Policy.
“You point it to the right application on the [user’s] computer,” he
said. The software lets IT administrators filter privileges in many
different ways — by times of day or specific computers, IP addresses,
users or organizational units, De Bruin said. For example, “I am able to
get granular to make sure that the accounting people have admin rights
for accounting applications” instead of users who should not have
access, he said.
“Unless you get granular, you’re just opening up security holes,” he
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com