In the previous blogs, I wrote about security and security basics. If you are interested in those blogs you can find them here Part 1 and Part 2. This blog will show you how a User Environment Management solution can assist in this. As written before, no solution will solve your security concerns. Solutions will help you mitigate risks but will never be able to provide full security. In the battle against criminals attacking your Workspace, every solution assisting is welcome.
User Environment Management to the rescue
Of course, the title is a little bragging but UEM solution can help a lot, let me show you. A little explanation for those unfamiliar with UEM solutions. With a UEM solution, everything you do is done in a context of the user/desktop you are deploying to. The context of a user is who he is, where he is, on what device he is and so on. Depending on these differences you can apply different settings. Let’s explain a bit deeper as this is the core of UEM I Think.
The context of a user, as said before, says a lot about the user (and his or her physical device). Let’s show a little example that will make you understand UEM better.
A user starts to work from home, traffic is a mess. The home location is secure enough to allow the user access to all applications. The user will connect to a virtual desktop or a virtual application and work until traffic is easier. You allow them to work with a USB data disk from a secure location. The user works on a company device so there is no concern there.
After traffic is acceptable the user drives to the office. On the way there he or she stops at a Burger King to get a coffee and a snack. While there he or she connects to the workspace to continue work. As the Burger King is not a secure environment you don’t allow access to financial applications or access to USB data disk.
After the coffee and snack, it is time for the office. The office is a secure location and while he or she is using the company device all applications are allowed, even USB data disks are. If the user would have been working on a personal device his or her access to applications could have been different.
Context and UEM allow you to differentiate between scenario’s and set a security policy accordingly. Together with logging and monitoring of what is set, you can create a pretty cool security framework for the workspace. Combine this with machine learning ransomware detection, network segmentation and smart firewalls and your IT life is pretty cool.
So enough talk, let’s show how you set this up in UEM. as mentioned before I used VMware User Environment Management for this. They acquired Immidio a while back and have been working hard to integrate it.
Application blocking / whitelisting
As I mentioned on stage and in my previous blogs Application whitelisting is the most effective way of stopping crap dead in its tracks. Whitelisting alone is not the solution but it for sure is very powerful and a must-have. To show how to configure application whitelisting and blocking I will use VMware UEM one of the UEM solutions on the market. There are others, the functionality shown will work also in another tooling.
When you create an application block you have the option to block or to allow. Whitelisting is far more powerful than blocking and a lot less work to maintain. So in the screenshot above you see that you can allow access to applications based on three options;
The easiest configuration is using path-based which is what it says. You configure the application access based on the path of the application. This is effective but not the safest way to configure access. If someone is able to copy a file with the same name to that location your security is breached. To avoid that you need Publisher-based.
Publisher-based is a far more safe way to protect files. Based on the publisher information of an executable you grant access.
The screenshot above shows a publisher-based Chrome configuration. Only if someone is able to provide a file on that location with the publisher data of Google your security is breached. This is the safest and most workable way in my opinion. There is a more safe way to configure but that comes at a cost. It is called Hash-based.
The most secure way of configuring is using hash-based. Hash-based comes at a cost as the hash needs to be calculated and each time the file is accessed the hash is checked. If the file accesses a different file with a hash that is also checked. All this checking costs time.
The screenshot above shows the hash created Chrome configuration, I checked the box to make it also path specific.
This is basic application whitelisting of application blocking. There is more to it but you can see how powerful this is when configured correctly.
Add some context to this and you are creating a framework of security. You just configured Chrome with hash-based or publisher-based access. To make it more secure you want to add some extra layers of security.
So you can configure some conditions (called differently in other UEM programs) so you can say that only if your device has a battery they can start Chrome. Or only if it is Monday Chrome is allowed. The most used option is to create a set of IP ranges to differentiate between functionality. IP ranges are also handy when configuring for printers to be connected, just-in-time printers depending on your current location. Sounds good doesn’t it, not something you can do with a GPO, can you?
So you saw how powerful application whitelisting is but there is more. Think of your desktop as an archery target, each ring closer to the centre means more control over the desktop. We want the bad guys to stay out or at least on the outer rings. Center is when they acquire system rights. When users are given admin rights by default and the download some crap system is what they achieve instantly.
So what if we can prevent users being admin all the time? What if we can make sure they are only admin when they need to be? that sounds like a good plan doesn’t it? I’m sure some will say but they should never be admin and you’re right they shouldn’t be. The reality is that some functionality might require admin rights so better be prepared.
In the screenshot above you see the option to configure privilege elevation or administrative rights. I’m sure you also notice the similarity here with the functionality shown before. Again we have hash-, publisher- and path-based. No need to explain them again they work the same as in the other configuration. The new one here is Path-based user-installed application option.
This option comes into play when you want to enable administrative rights for users self-installed applications. If you somehow allow users to install their own applications you might want to grant them administrative rights to them. Of course, you can’t work with hash-based or published-based here due to the fact that the application is unknown at this moment.
One more thing to notice is that you can also enable privilege elevation for child processes. Also if you look at the screenshot again you will see the second TAB there as well. Also here you can configure conditions to create a better framework.
There is one more thing I want to show you. This is a setting only available in VMware UEM because they can interact with their virtual offering. It’s called smart policies.
So if we take a look at smart policies you see that you can enable a number of settings. a few are interesting like HTML Access file transfer which is important as you don’t want files to traverse from the client to the desktop (my opinion). One thing that VMware is not offering as well as I think they can is USB filtering. With VMware, you can enable or disable USB redirection but not block certain USB devices or vendors.
So let’s assume that you allow USB redirection at this level, there is always the condition TAB were you can configure more granular access. Let me show you something that you could do.
If you select Horizon Client Property in the conditions you have a few default selections. Is the client inside or outside when connection, what is the pool name and is there a launch tag. What it doesn’t show are the hidden options. Anything available in the volatile client environment can be entered here and used to create the conditions. With that, you can create something awesome.
I hope these few examples gave a better understanding of what UEM can do for securing your workspace. It alone is not a solution. Together with other solutions you implement you create a security framework. Have a good 2018, this is the last blog for me this year.