With the ubiquity of the internet, Wi-Fi hotspots and USB devices, the possibilities for unauthorized software on company PCs now seem endless. You are likely plagued by incidents around the clock: spyware such as keyloggers, adware, viruses, trojans, worms, non-licensed software, vulnerable applications and user-downloaded software (sometimes inadvertently). The list goes on and on. Even with the proliferation of anti-virus and anti-spyware solutions, desktops and laptops have become the weakest link in enterprise networks.
That means that desktop usage policies are more important than ever as a key component of any company's defense-in-depth security strategy, which should also address what constitutes acceptable usage for email, instant messenger, the internet, and the network - not just desktops.
A recent survey of 565 IT professionals in September revealed rampant non-compliance with corporate IT policies by desktop users. According to the results of the "Desktop Usage Policies and Trends Survey," sponsored by Bit9, a large number of end users not only run with administrative rights and privileges, but many aren't complying with usage policies set by IT.
The survey revealed that although one-third of IT professionals have removed administrative rights for 75 percent or more of their end users, many end users still have administrative rights on their machines, giving them the ability to download applications without IT's knowledge. Thirty-eight percent of respondents stated that they have allowed more than half of their end users to maintain administrative rights on their machines. This level of end-user permissions - and lack of centralized control - can lead to a proliferation of non-business applications loaded on company-owned desktops. Applications that run undetected by enterprise IT organizations can contain critical vulnerabilities and spyware, which drift desktops into non-compliant states.
Other noteworthy findings include:
· End users aren't complying with desktop usage policies: Two-thirds of IT professionals responding (66 percent) say that end-user cooperation is nonexistent, low, or medium.
· Rogue software is consuming significant helpdesk resources: Thirty percent of respondents report spending more than a quarter of their time answering service calls related to unapproved end-user software.
What can you do? For starters, understand that the right desktop usage policy for your organization is the one that will work. Policies are simply rules about how you want your IT infrastructure to be used and act as general guidelines about what employees are and are not allowed to do; they need to be tailored to your organization to be effective. For example, your company's desktop usage policy could address which applications are (and are not) allowed. In theory, many companies have a policy disallowing unauthorized software (for example, computer games, IM or VoIP clients, media players, browser toolbars, p2p file-sharing, or other non-business applications). But in reality, they have a difficult time monitoring and enforcing that policy.
For example, I recently spoke with a financial services client grappling with the implications of SEC Ruling 202, which addresses the question of when the investment
advisory activities of a broker-dealer subject it to the Advisers Act. As part of the implementation to meet the requirements of the ruling, this particular institution banned financial planning software on its brokers' desktops, but was finding less than optimal ways of instituting the ban.
So what can you do to better manage desktops in order to comply with desktop usage policies?
Ask any Windows administrator or security professional and you'll find widespread support for the idea of monitoring and locking down employees' desktops. By removing administrative privileges, many problems can be avoided, ranging from corrupted systems and malware infections brought about by non-compliance with desktop usage policies. Unfortunately, removing admin rights from PCs introduces significant complexity to IT operations and doesn't solve all the problems. You'll want to look for solutions that work in conjunction with Active Directory and Group Policy Objects (GPOs) to allow you to address critical requirements of lockdown such as:
· Automatically keeping policy up-to-date with approved changes to the desktop software configuration, so internal software deployments and automatic updates don't interrupt users;
· Letting users install approved, legitimate software without IT involvement
· Providing security and monitoring capabilities for users who still retain admin rights (for example, engineers, remote offices, or executives);
Lastly, whether you are locking down desktops or simply want to easily ban rogue software and approve authorized software, it helps to clearly communicate acceptable desktop usage to your end users via the employee handbook, brown bag lunches, and regular emails.
Please feel free to email me to share your experiences, feedback or any policies questions you may have.
-Todd Brennan is CTO and co-founder of Bit9.
