Using AppSense to Secure a Server Estate, With Role-Based Access (Pt. 1 of 3)
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
AppSense Application Manager (AM) and AppSense Environment Manager (EM) are widely used for server hardening, security, user profile management and server configuration in a Terminal Services environment.
Surely the idea of using both for a role-based access solution is an extension of this proven background? The good news is, it is!
The construct of AM and EM both lend themselves very well to a server role-based access solution. It makes the process of removing administrative rights and then elevating a user to have the required administrative rights to specific consoles, applications, services and commands very straightforward.
A common example is the Internet Information Services Console (IIS), which requires that the user is an administrator on the server on which they are launching IIS. This means a user has full rights on the server just for the purposes of running the IIS console. Many other consoles also require that the user be an administrator on the server.
IT managers must hate the above scenario, especially if the server is multi-purpose (e.g. SQL and IIS), because they are effectively giving people the ability to restart my server, install/uninstall software, stop services, etc. In a controlled environment, where changes may require ITIL change control, it makes a mockery of the change control process and best security practice. There may also be regulatory code of conduct or governing body that stipulates that control of access on servers needs to be in place. Security compliance of this type is commonplace for public sector and financial organizations.
AppSense Application Manager is the key to compliance for these and other scenarios. In this post, an associated guide, and instructional videos, I’ll show you how you can:
- Take control of the users logging on as administrators to your IT server estate.
- Log a user on as a non-admin to a server and elevate them as an administrator to the consoles, applications, services, and commands they require for their role.
- Benefit from the security enhancements Application Manager has to offer, including trusted ownership file checking.
- Achieve a kiosk-style lockdown mode for users within role-based groups using Environment Manager, and apply further user session lockdown to a role using Environment Manager.
Taking control of who is logging onto your infrastructure servers as an Administrator using Group Policy.
When enhancing security related to IT administrative tasks, you can easily incorporate fundamental security principles using Application Manager and its Built-in Elevate function.
The only users that should be logging onto a server interactively as an administrator are IT System administrators (period). System administrators are in a position of trust and should operate within a change management ITIL framework. That is, if changes are made to a server they are performed within a designated planned maintenance window, under the approval of a change board. Nobody else should be an administrator. Bob, who needs to check the SQL backups on the SQL server, does not need to be an admin on the server to do this.
Service accounts requiring administrative privileges also need to be a member of the administrators group, but need to be prevented from logging on interactively. As an example, as the SCCM Administrator for an estate I am very likely to know the password SCCM ‘client push account’. This has to be a member of the local administrators group. I need to prevent the service account from being used to log on interactively using the policy to ‘not grant this account the right to log on locally’.
Finally, to allow the non-admins the ability to log on interactively to the server, we configure the remote desktop users group for the server using group policy.
For an in-depth explanation of how you can do this on your server estate, check this blog tomorrow for a link to download the Server Lockdown Guide. We’ll also provide video demos in the next couple of days—Video One will demonstrate using the Built-in Elevate function. Again, check this blog for a link to view the videos.
Secure using Application Manager and elevating access to the Consoles, Applications and Commands required.
With the Application Manager agent on the server we can reap the benefits of having a secure configuration. The users will be governed by an Application Manager restriction rule that will stop unauthorized execution of files. Users will not be considered Trusted owners and will be prevented from executing unauthorized files. We can then use the Application Manager configuration to elevate and provide the user with administrative privileges to a consoles/applications, and only the consoles/applications for their job role.
As the users are now logging on as standard users we also get all the natural benefits from the security of being a standard user. Being a non-admin user prevents the running of administrative command prompts, running consoles that require admin privileges, and removing/installing software. Essentially the user cannot make changes that require User Account Control (UAC) privileges. You are now leveraging Microsoft security controls rather than trying to defeat them.
In Video Two, which will be available later this week, I go in-depth explaining and showing how this can be set up for various job roles, including storage, web and network admins.
Using Environment Manager to further secure the device into Kiosk mode
Environment Manager is the final piece of the puzzle for really tightening security. I can use conditions and actions to allow a user to log on to a server as a non-admin and only get presented with the IIS console, so that user does not get the desktop experience and if he closes IIS it gets relaunched. Additionally, that user can’t gain access to Windows Explorer but can perform tasks like importing certificates from the file system. If you watch Video Two, which will be available later this week, I explain the entire Environment Manager configuration and the lockdown.