The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
case studies Limit Workstation Rights — The Need for Privilege Elevation by Sean M. Power of Lathrop & Gage LLP Three years ago, Lathrop & Gage LLP sought to address the challenge of removing administrative rights on workstations. As most know, allowing administrative rights on workstations marks the path to perdition as users install unapproved software and malware takes hold. Referring to "the image" eventually holds little real meaning as individual workstations increasingly deviate from the baseline, further complicating troubleshooting and maintenance. In order to achieve the goal of limiting user permissions, we needed to find a solution for privilege management as a key part of stabilizing the workstation experience and meeting the firm's security objectives. Our Solution At the time, most organizations that had removed administrative rights elected to make users "power users" or to limit users and leverage the Windows run-as command. Neither approach is elegant and both can create difficulties. Lathrop & Gage was an early adopter of a new desktop management product (Viewfinity). During discussions with the developers, our need for a privilege management solution emerged, and they responded with an extension of their existing desktop management agent. The agent reports back to an internal management server, or it can be deployed with a hosted management solution. Viewfinity has continuously delivered key features to make the task of privilege management easy. Benefits The kernel mode agent receives policy information from the management server, and policies can be targeted by machine, user or group with full Active Directory integration. Viewfinity provides a very rich policy set to create policies for selective privilege elevation. Some examples include: • Receive a right-click context menu item for installation with elevated privileges. This component was beneficial in allaying some of the fears felt by certain tech-savvy lawyers who were concerned about losing administrative privileges. In reality, the function is seldom invoked. In addition, our IT staff — who, by the nature of their responsibilities, have secondary accounts with administrative privileges — are instructed to use the Viewfinity function when testing software. One of the often overlooked aspects of allowing IT staff to use domain admin accounts to install local software on their workstations is that, in the event of the software containing malware, it can now potentially have unfettered access to the entire network with disastrous outcomes. • Allow the installation of software packages from a defined network share location accessible to service desk technicians. During our last desktop rollout, certain tier- two and -three applications were not yet fully packaged for SCCM distribution. With the ability to create these installation 44 Peer to Peer