Customers

Preventing users from making unwanted desktop changes without restricting them from performing their job function continues to pose serious challenges for almost all organizations. Striking a balance between providing users with a degree of control over their desktop configuration and protecting the standard desktop build is difficult, as this control often results in granting admin rights to a user.

Once granted, admin rights give a user control over every aspect of their desktop configuration, a scenario that does not sit well within a corporate environment. Running users with admin rights also carries a greater threat from malware, as payloads are almost always more destructive under a privileged account. The increase in the deployment of laptops only adds to this problem, as laptop users often require an even greater degree of freedom than users with desktops.

Many organizations are now looking for solutions, which will allow them to remove admin rights from their user base, but without preventing the users from performing their job roles effectively.

Avecto Privilege Guard enables organizations to rollout a standard desktop configuration, providing an effective and manageable lockdown strategy, but without compromising a user’s ability to perform their role. With Privilege Guard it is possible to remove admin rights from users, and assign these rights dynamically to applications, tasks and scripts, based on policy settings.

For more demanding users, such as developers, an “on demand” elevation facility can be made available to the user, which provides the user with a fully audited mechanism to run privileged applications, as they require.

The principle of least privilege requires that a user should be given no more privileges than is required to perform their job function. An important aspect of implementing least privilege is to avoid letting users logon to their desktops with admin rights, but in practice this can be difficult to achieve, as a user must be granted the privileges necessary to perform all of their tasks.

The concept of least privilege has become more prevalent in recent years due to the need for many organizations to be compliant with standards such as PCI DSS, Government Connect, Sarbanes Oxley (SOX), FDCC and HIPAA.

Avecto Privilege Guard can play a key role in implementing a least privilege environment and deploying compliant desktops. With Privilege Guard it is no longer necessary to make users members of the administrators group. If a user requires admin rights to carry out a limited set of tasks then Privilege Guard can elevate these tasks automatically based on policy settings without user intervention. The experience is seamless to the user and ensures that the user runs with standard rights, avoiding accidental or deliberate abuse of admin rights.

Gartner¹ states that “a locked and well-managed desktop PC can be 42% less expensive to keep than an unmanaged one”. Most of our customers have already implemented significant management controls and procedures, but are now looking to take systems to the next level of management. Gartner has produced a classification for corporate desktops, which is defined as follows:

• "Wide open" — Users can install applications and change settings, with little to no management tools being used.
• "Somewhat managed" — There are some management tools, but it's light on processes and policies.
• "Moderately managed" — There are tools and good processes and policies, but users can install software and change at least some settings.
• "Locked and well managed" — There are tools, processes and policies, but users cannot install software or change critical settings”.
  

The key difference between a moderately managed desktop and a locked and well managed desktop is that users cannot install software or change critical settings. However, this locked down state, can be too restrictive in many environments and impede users from performing their day-to-day activities.

Privilege Guard provides an enterprise solution for removing admin rights and implementing least privilege on the desktop, by enabling these elevated rights to be assigned to individual applications and tasks, based on policy settings. In a locked and well managed state, Privilege Guard can enable a user with a standard user account to perform authorized configuration tasks and install authorized software, which would usually require the user to be logged on with an admin account.

Removing admin rights makes financial sense, because if you can move just one desktop from a moderately managed state to a locked and well managed state, a typical corporate can save over $1,200 per annum. Scale this saving up for hundreds or thousands of desktops and the total savings become substantial.

1 Gartner Desktop Total Cost of Ownership: 2008 Update, dated 24th January 2008. Michael A. Silver, Federica Troni and Mark A Margevicius http://www.gartner.com/it/page.jsp?id=636308