Ivanti Blog: Posts by

Not Another Blog about SolarWinds – 3 Ways Ivanti can Help Protect You

Mon, 08 Mar 2021 23:08:23 Z

The SolarWinds exploits have been widely reported, fully covered, and basically as we would say in Aussie – Done to Death Mate.

But some of the info got me thinking, especially this article from my buddies at Microsoft which gives some great background and flows for that how the attacks were actually working.

I’ve been working with Ivanti Application Control – formerly AppSense Application Manager for over 17 years. I luv it 😊

I’ve installed it in hundreds and hundreds and hundreds of Customer sites and trained hundreds of people on its use.

Even then, some new use cases come up, and some if its features lend themselves to protecting against new and old styles of attacks, as the world and our hackers evolve.

How did the Attack work, What can we do?

So, let me give you my spin on what the attack style and steps mean to me, through the lens of someone who helps customers with Ivanti Application Control (AC).

Trusted Applications can still do bad stuff. Yes, I know it may be hard to believe and hard to stomach, but trusted applications can be hacked. Exhibit A is of course the SolarWinds attack. We know that the process SolarWinds.BusinessLayerHost.exe downloaded a compromised dll, which then created a couple of files on the disk. After some jiggery, pokery in the registry, script files were then kicked off by dllhost.exe – a very valid system process. Rundll32.exe – another well trusted system process - was also roped in to go and run some of the dodgy files as part of the attack and cleanup.
Tracing and Hunting is great, but prevention is even better. It’s great to have visibility, and capture traffic running around your network, and calls out to hacker sites, but my view has always been - I like to see security issues blocked at the source. Two philosophies in Security, fix it fast when it breaks, or stop it breaking in the first place. I am very firmly in the second camp there, let’s stop things first.
Know what your Apps should and shouldn’t be doing. Do Trusted Applications really need to be executing batch files and VB or PowerShell scripts? Under what circumstances should that be allowed. A little testing and planning will give you visibility, and from there you can make some informed decisions, and take some protective steps.

3 Ways Ivanti Application Control Can Help

Given all that info above, here’s 3 areas of Ivanti Application Control configuration that can help you protect yourself against compromised TRUSTED applications – DISCLAIMER – PLEASE TEST ANY OF THESE RULES FIRST IN AUDIT ONLY MODE IN YOUR ENVIRONMENT BEFORE DEPLOYING:

Remove SYSTEM as a Trusted Owner. Out of the box, SYSTEM is added as a Trusted Owner. Now that might seem logical, and you might even think that is a 100% no brainer requirement – not so fast Mate. I remember back when I was doing my GCIH certification training with SANS, and we were using Metasploit to attack a Windows Spooler service and drop a copy of netcat.exe on a server, the context of the service we were attacking was SYSTEM. Which meant, when the file hit the disk, it was owned by SYSTEM. Removing SYSTEM from the AC config would block the execution of any file copied to the disk as part of a compromised service. The Instructor was very impressed!
Add Microsoft Recommended Blocks. Now his one is mandatory for level 2 and 3 Maturity levels for the ASCS Essential 8 “Application Control’. The listed applications are ones that have security implications or are just downright dangerous. The current list can be found here. One I wasn’t initially aware of was good old BGInfo.exe (prior to version 4.22), until a Customer asked me about it and I then realised it could be used to run VB scripts and bypass the built in Windows VB compiler. We found that by blocking the relevant dll’s you could stop the VBScript backdoor, but as it was on the Blocked App list, it’s safer to just block it. BGInfo version 4.22 fixed this issue so you could use that version if you really need to.
Process Rules are your Friend. Yes, one of my favourite functions in Ivanti Application Control is the ability to run Process Rules. So, with these, you would lock down the .exe with metadata, or even in some cases a signature, and then create a rule allowing that exe to either run or be blocked from calling additional components. So you could say – I trust the exe, so let it run .dll’s, BUT there is never any circumstance where it should run a .bat, .vbs, or .PS1 file so block those, and throw in blocking Powershell.exe while you’re at it. This could even be implemented across the platform as a blanket rule, and only allowed on a “Need to Run” basis.

Implementing the above rules will stop attacks like the SolarWinds one in its tracks.

SYSTEM processes will not be able to create their own files and execute them, any dangerous system tools listed on the MS Recommended Blocks will be denied, and valuable system process like dllhost.exe and Rundll32.exe can be locked down to stop them kicking off batch files, VB or PowerShell scripts.

I’m one of those Weird People who “Eat their own Dog Food” or “Drink their own Champagne” so I have all these rules on my laptop 😊

It runs fully locked down Application Control and I only ever log on as a standard user. Our Privilege Management functionality elevates the things I need to do my job at Ivanti and protects me against any credentials compromise.

I hope that helps give you a bit on an insight into where Ivanti Application Control might help, and if you have any questions please feel free to reach out to me.

Thanks for tuning in and to be clear, Solarwinds is not affiliated with Ivanti and does not support or endorse Ivanti, Ivanti IAC, or any other Ivanti solutions.

Raising Your Security Posture: 3 Things You Should Look at Next

Tue, 15 Sep 2020 16:41:22 Z

It’s been a busy year in security so far for 2020. Apart from all the other challenges we deal with, we’ve now seen how quickly security threats can pivot when an opportunity presents itself.

Widely reported in April 2020 was the 30,000% increase in phishing and malware attacks against Remote Workers. A massive increase in work from home (WFH) initiatives signals a great opportunity for threat actors to exploit these new WFH users.

So where is your next target to improve your security posture? Whether it’s based around remote workers or not, where should you be concentrating your efforts?

Here are three areas we highlighted during our recent Ivanti Interchange Virtual World Tour. I hope they give you some info and ideas on where to head next in your security journey:

1. App Hardening

Block those macros. We hear it all the time. Office macros are bad; just block them all. Great security idea, but not the most practical for all businesses. Some rely on spreadsheets and documents embedded with complex macros to make complicated work and calculations simple. Take them out of the business, and the business takes two steps backwards at a time when we all need to be taking steps forwards.

So how do we tread that fine line between block ‘em all, and only allowing those that are trusted?

Obviously, there are some built in mechanisms in Windows, group policy settings, digital certs etc. and the settings in the Trust Center options of Office 365 to block and allow only some macros.

How Ivanti Can Help

Often around this discussion with customers, we talk about use of our Ivanti Environment Manager (EM) and Application Control (AC) products as a highly flexible solution.

EM allows for granular, contextual policy control of all macro settings rather than a “one size fits all” approach from Group Policy.

Our AC product allows us to control any external files or processes called from parent processes like Winword.exe or Excel.exe or even Chrome.exe.

On my laptop, I have AC configured to block all PowerShell, java, and cmd executions from my standard Office apps like Office 365, Acrobat, and Chrome. I can’t see a reason why they need to call those mechanisms, so as a security measure they’re blocked.

2. Connected Devices and Removable Media

You’re probably familiar with the ACSC Essential 8 Strategies described here, and hopefully you are all some distance along the way to measuring your maturity level against this model. But something that’s not obvious is the absolute number one priority when assessing your risk from malicious Insiders: “control removable storage media and connected devices” to mitigate data exfiltration.

What’s the best way to do that; what’s the best solution?

Well, there are a lot of differing solutions and strategies around locking USB keys and controlling connecting devices. Your best solution revolves around your own use cases, and what you need to achieve to mitigate your organisation's specific risks. Simply blocking USB storage can even be covered by Group Policy so if that’s your only need, happy days.

How Ivanti Can Help

We have regular conversations around Device Control and I’m always pushing for people to discuss their requirements first. Our Ivanti Device Control (DC) is used around the world by the most super secure organisations, all who have multiple, and sometimes complicated requirements.

I call it the Rolls Royce of Device Control and make sure I let customers know that during discussions. After all, there’s no point buying a new Rolls Royce when all you really need to do is buy milk at the shop. That Corolla in your garage will probably be good enough. 😊

But, if granular control of ALL devices—not just USB Storage—is important, and if you need to enforce encryption, restrict file copies by type of file (PDF,DOCX etc.), or even to look inside files for key words, and shadow copy every document printed, our DC solution has you covered.

We can help you meet those extensive controls to ensure a high level of data loss prevention and compliance.

3. Automated Reporting

Part of the previously mentioned ACSC Maturity Model, and a requirement for Level 3 on patching operating systems or third-party applications is an “automated mechanism” being used to record patches and drivers that have been deployed and installed. Not only does this record compliance, but it also simplifies updating exec’s in the event of a specific threat they have questions around.

How should you do that; where should you start?

Many of my friends in security worked all weekend when WannaCry struck, not patching machines, but collecting data for reports for execs. If that was you, consolidating, and automating your compliance reporting will save you manpower and overtime.

Every security product will have some level of reporting built in. Most will offer some form of scheduling reports, and potentially email them automatically to important people.

We typically hear consolidated reporting is a big issue. Grabbing information from multiple sources, centralizing it and monitoring compliance can be a big challenge.

How Ivanti Can Help

I’ve loved our Ivanti Xtraction product since the first time I saw it back in April 2016. I’ve been blown away by the value it offers to customers, and the flexibility of its centralized business value dashboards reporting from multiple data sources.

It not only talks to every Ivanti Security product with a bunch of out-of-the-box dashboards pre-configured, but can also connect to other databases with a suitable connector like Microsoft SCCM and Active Directory. These connectors also include a bunch of OOTB ready built dashboards.

Scheduling reports or dashboards for execs is very simple and easy to configure. All your compliance reports centralized and managed in one place.

What next?

So that’s it. I hope you’ve found some value from the info across these three areas and how you can look to raise your security maturity level.

For more info, and to see some Live Software, you can also watch our session “ACSC Essential 8 – Prioritizing Your Next Step” on demand by registering here.

Please stay safe, and if you have any further questions please feel free to reach out to Ivanti.

Together Citrix and Ivanti Just Make Sense

Tue, 14 Apr 2020 17:02:43 Z

Hassell, a multidisciplinary design practice with offices in Australia, China, Singapore, Thailand and the United Kingdom needed to solve a problem. How could they improve the way they delivered workspaces to their designers, who require powerful machines to handle the intense, 3D design tools they work with daily?

With end users who were used to running powerful workstations under their desk with plenty of compute power, Hassell needed a virtualization platform solution that could deliver a rich and responsive experience that exceeded their users’ expectations.

Ivanti Performance Manager

Ivanti Performance Manager, powered by AppSense, enabled Hassell to increase their user density without compromising the user experience. “We’ve been able to control applications using too much CPU and memory resources so that it doesn’t impact other users,” said Johnny Chloride, Design Systems Manager at Hassell.

In building an overall solution in 2014 Chloride believed Ivanti’s then AppSense DesktopNow Plus was critical to the success of their virtualization project.

“DesktopNow Plus and AppSense were part of the overall virtualization package. Without AppSense, Citrix didn’t really make sense”

Hassell’s end users have been really excited by the benefits from the project, which includes the ability to logon from home and access all the same applications just as they use them in the studio.

“Before we’d have to use fairly elaborate file synchronization mechanisms,” commented Chloride. “Without Ivanti we wouldn’t have been able to get the business case to do what we wanted to do. Ivanti has provided us with the ability to give our designers the high-end graphical capabilities they needed.”

When analyzing the business case for the project, Hassell found the investment would pay for itself within 18 months. “We looked at a payback model when we went to the board and we looked at how quickly the investment would payback compared to the investment that they typically make on PC equipment. The timeframe was around 18 months, so from a board point of view not only were they getting faster equipment they were getting the same user experience and it was cheaper.”

If you have Citrix Virtual Apps | Desktops, VMware Horizon, Microsoft Windows Virtual Desktop or cloud delivered desktops in Azure or AWS, we are offering 30 Day Free Performance Manager trial on your production system to show the cost savings.

ASD/ACSC Maturity Model 2019 – Three Things You Need to Check

Wed, 16 Oct 2019 09:32:04 Z

The Australian Signals Directorate (ASD)/Australia Cyber Security Centre (ACSC) Top 4/Essential 8 has been around for a few years now, and at Ivanti we’ve always promoted this framework to our customers—follow the experts, do the boring basics first, and then focus on the smart, pretty, next-gen stuff.

If you choose the ‘follow the ASD/ACSC’ Guidelines, one of the first things you need to do is a self-assessment to find out where you are right now. How does your organization measure up against the Maturity Model—are you Level 1, 2, or 3 across the controls of the Essential 8.? And what steps do you need to take to go from where you are to where you want to be?

Thankfully, the ASD/ACSC Maturity Model makes that easy.

We are told that for most organizations, the goal should be Level 3 maturity across the board. If it takes a little while that’s fine. As long as you know where you’re heading, you can plan and make progress. Some organizations that are more secure will be required to achieve higher levels of security. In those cases, you really need to work with the ACSC directly for advice and guidance.

For those of us who’ve been monitoring this maturity model, the year 2019, has been one of updates and changes. Some updates were made in February 2019, and then again in July 2019. It’s these latest changes I want to talk about, in order to give you three simple things you need to check for your self-assessment.

The Three Things to Look At for Level 3 Maturity

1. Application Whitelisting

ALL desktops and ALL servers need to be whitelisted for executables, software libraries, scripts, and installers. Historically, this moved from being only “high-risk” workstations for Level 1 and 2, which allowed you to nominate a subset of endpoints and AD/Email/Authentication servers.

Now it’s a simple blanket: ALL workstations and servers. So, if you’ve employed the previous measures to reach Level 2 or 3 for example, you need to go back and plan how you’re going to move that along in order to meet the new requirements. If you need help with this, reach out. We’ve helped all sizes of organizations tick that whitelisting box with minimal fuss—and most importantly—minimal ongoing maintenance.

2. Microsoft Recommended Blocks

Microsoft released a new Application Whitelisting recommendation earlier this year. Essentially this is a list of Microsoft applications a threat actor could use to bypass application whitelisting. For Level 3 maturity, you must include these in your whitelisting for all workstations and servers.

Thankfully, this is easy for our Ivanti Application Control customers to add. We have a config snippet people can just import to block these recommended apps.

3. Patching

Organizations require an automated mechanism to confirm and record deployment of updates and patches. So, as a new requirement for organizations to be considered Level 3 mature, you MUST include automation in your patching solution. What would be ideal is an automated patching solution that records and reports on patch success/failures, and that gives you a live position on your organization’s patch status ideal.

This is exactly what Ivanti Security Controls will give you.

So, in summary, if you’re following the ASD/ACSC Maturity Model:

It’s a good time to reassess where you are.
Plan out what your next move must be to stay compliant
Talk to Ivanti if you need assistance. We’ve been doing this successfully for a long time.

Hit me up at shane.wescott@ivanti.com if there is anything else I can do to add value.

Would You Like Fries With That? Three Questions to Ask About Built-In Features

Thu, 25 Oct 2018 19:31:47 Z

I’ve been around the IT world for a long time (over 32 years) and things are constantly changing.

One question that never seems to change in our world of “Value Add” is, “How do you compare to the built-in feature X”.

For nearly 15 years I’ve worked for AppSense, and now Ivanti.

Those businesses were, and still are, built on the principle of Adding Value, to improve the User Experience.

It’s like that fast food restaurant that always asks, “Would you like fries with that?” Two possible responses here:

No thank you. There is enough salt and fat in my triple decker burger I’ve already ordered to have the desired effect on my arteries, or
Yes, I would like fries with that. It makes it feel like a more balanced meal and I can then kid myself that I’ve had some Veggies today and feel better about my dietary choices.

If you get the analogy, Option 2 is all about the User Experience, Option 1 is all about – I know what I’m doing, what I have is good enough.

The built-in features in the Operating System (Think Windows, IOS, Android etc.) come with a range of feature and functions. Some are great, some are o.k.

If the built in O/S for our Mobile devices was fantastic, there’d be no need for any apps.

Just the same as if the off the showroom car was fantastic, it wouldn’t need options and there wouldn’t be any need for aftermarket players selling bull bars and 20-inch rims.

But we are all DIFFERENT, and our use cases are all DIFFERENT.

So, when customers say to me – “How does this compare to the FREE feature I already have?” I ask them if they’ve listed out and tested their use cases.

The reason being, the built-in feature will work well for certain use cases, for certain customers.

For Example, the Windows world has had NT Backup built into Windows from day one.

Will it backup data – Yes – will it be an effective backup solution for an Enterprise – No. And that’s exactly why most customers purchase a specific, dedicated, backup solution for their organisation.

Everyone understands that.

Three important questions to ask when assessing built-in features:

What is the management overhead of using the built-in functionality? Typically, this one gets missed. Yes, the built in may be FREE, and may do what you think you want, but if it takes one FTE (Full Time Employee) dedicated to managing it, there’s a cost involved. I’ve been to sites where Teams looked after built in security features – difficult to propose an alternative when it’s obviously going to put people out of work.
What User Experience are we after? Do you want the users to be able to roam different platforms and have the same experience for all their app settings etc? Do you want them to have the ability to decide, give a reason, and temporarily bypass some security restrictions? Are you o.k. if one user running a big Excel calculation, impacts every other user connected to the same Terminal Server etc? All important questions, all of which must be balanced between the value of User Experience, and the cost of the solution.
What are others like us doing? If you’re a 10,000-seat organisation, and everyone your size is using a value add solution, maybe there’s a reason for that. Are others just ticking a box to keep the auditors at bay, or are they using the auditor’s report as an opportunity to drive real change. Do your research. Ask around. Maybe the Vendor can point you at a similar customer who’s implemented their solution and seen the value first hand.

So, there’s some questions for you.

I hope you find them useful when you sit down to assess the value of various built-in features and functions.

And just remember, when it comes down to that age-old question – “Would you like fries with that?”, it’s all about the User Experience, it’s not about the calories 😊

My name’s Shane Wescott, Tech Evangelist at Ivanti, and I’m here to help.

Hit me up on shane.wescott@ivanti.com if there is anything else I can do to add value to you.

Spectre and Meltdown: 3 Things You Can Do to Speed Back Up

Tue, 05 Jun 2018 20:53:54 Z

I’m sure we’ve all seen the articles around Spectre and Meltdown this year: fixes aplenty, and in some cases side effects of slower performance and more resource usage. These slowdowns make sense of course, because the attacks take advantage of the speculative execution feature in processors that makes their fastest performance possible. There’s a ton written out there about this feature, but essentially it enables processors to try to predict what you’re going to have them to do next, instead of waiting for the instructions to arrive. There is no pipeline stall or delay in execution, so performance is faster. But take that away and the processor’s predictive ability and code is more secure (for reasons we’ve linked to above) but slower.

What if there were ways to mitigate the after effects of fixing these vulnerabilities? Ways to help with the slowdowns customers tell me they are seeing after applying patches and microcode updates?

There are.

To give you some background on how I’ve come prepared to speed up your IT environment, for the last 14 years or so I’ve been working with Asia Pacific (APAC) clients in the end-user computing space to make sure they get the best user performance they can from their Windows technology. I’ve helped them manage CPU and memory resources with Ivanti Performance Manager powered by AppSense. Since 2002 this has been the leading solution for shared resource management on Citrix, Terminal Server, and virtual desktop infrastructure (VDI) platforms. I’m proud to say I love this product, and I’ve installed it at at least 500 customer sites with remarkable success.

I’ve also specialised in security, helping organisations implement the ASD Essential 8 security framework using the most widely deployed whitelisting and privilege management solution, Ivanti Application Control powered by AppSense.

So, now back to business. Let’s look at what we can do today to claw back some of that performance for our users. I recommend you take this approach:

1. Discover

Find out where things stand in your environment. Talk to your hardware vendors. See what they say about the servers and workstations you are running and how vulnerable they are. In addition, Microsoft offers guidance here on how to use PowerShell to check your current state.

2. Gain Insight

Consolidate what you’ve found across your organisation. I’m not sure how you are collecting inventory or patch state information today, but it’s critical to dig into the data.

If you just throw your arms up, come and talk to us. We can help with IT asset management, patching, and dashboarding solutions

3. Take Action

Install Ivanti Performance Manager.

This last might seem quite radical, but yes you can install a product made famous in the Citrix and Terminal Server world on a PC or server. Windows is Windows. The challenges you face when you are using multi-user shared Windows sessions are still there on a single-user version of Windows. Here’s why:

The Windows Scheduler is the same. Yes, there is no difference in the Windows Scheduler, that piece of code that decides who is the next to get some CPU time. Scheduler issues on PCs slow response time and cause hangs when users switch between applications.
CPU can still lock up at 100%. You know that time when the AV agent goes rogue, just as your review scan of your 50-page work document kicks off—that spinning cursor that really just says, “Please hold, your call is important to me”? That’s a CPU lockup.
Memory leaks or hangs. Sometimes, applications just grab memory, and sometimes they keep grabbing more. A bug called a “memory leak” can cause this, but in other cases it’s just the way the app works. The challenge is that the app, which now needs to manage all that memory, can get itself in a knot and hang.

Performance Manager provides granular control over the Scheduler by actively managing the base priority of all threads and processes. Our patented Thread Throttling technology actively monitors CPU usage to make sure the CPU never hangs at 100%. If a rogue process does take the CPU to 100%, we can peg it back just a little, so Windows keeps running and all the processes get their fair share of resources. And for the physical memory issue, we can request a working set trim for applications, based on a range of triggers (Foreground, Background, Idle, Locked Desktop, etc.). This reduces physical memory usage and puts more free memory back in the pool for other applications.