Avecto | Bitesize Article How to simply achieve Sarbanes-Oxley (SOX) Compliance Russell Smith, author of ‘Least Privilege Security for Windows 7, Vista and XP’. In this bite size article, Russell Smith provides a quick and easy guide to achieving SOX Compliance. employees must be prevented from using with small IT shops, is available from the systems for activities not related to their ISACA website. assigned duties. The removal of administrative privileges and use of Windows and Least Privilege Security application control are critical in achieving Least privilege security has been shown these goals. to significantly reduce virus and malware infection rates on Windows. Additionally, In response to major accounting scandals such as those that affected Enron, SarbanesOxley (SOX) was passed into US law in 2002. Put simply, it requires that public companies verify the accuracy of their financial information. Specifically, SOX section 404 states that organizations must demonstrate confidence in IT systems that store, transport and process data. The Act itself doesn’t determine what PO4.11 Segregation of Duties: Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorised duties relevant to their respective jobs and positions. application whitelisting is necessary to prevent users from installing unauthorized software that could lead to a computer being compromised. Portable applications, some scripts and batch files cannot be blocked by simply removing administrative rights. To achieve effective least privilege security, organizations need to: Remove users from built-in Windows groups, such as Administrators and Power Users. Implement application whitelisting internal controls organizations should use, but COBIT (Control Objectives for The Information Systems Audit and Control to prevent users running unauthorized Information and Related Technology) Association (ISACA), which is responsible for software. outlines best practice and is the most certifying auditors, carried out a study to commonly adopted framework by IT determine the most important controls departments to meet SOX compliance. required for SMEs to meet SOX compliance. File access privilege controls was ranked in COBIT the top five controls and least privilege was COBIT control PO4.11 Segregation of Duties identified as the technology required to requires organizations to ensure that users’ meet the control requirement. roles are defined in such a way as to minimize the likelihood of a critical process COBIT Quickstart, a guide to implementing being compromised. Additionally, the most critical COBIT controls for SMEs File access privilege controls was ranked in the top five controls and least privilege was identified as the technology required to meet the control requirement. Russell Smith Using Privilege Guard to meet SOX compliance ensuring that support can be provided in any some software didn’t work correctly when run Avecto Privilege Guard’s features allow for a device to receive a policy update. by a standard user. Furthermore, some organizations to remove administrative Windows features, such as Disk privileges from end users and block Defragmenter, can only be started by a user unauthorized applications while retaining with administrative rights. confidence that all operational needs can whitelisting provides more flexible rule be met. creation than Windows AppLocker, and 1 User Account Control In the past, users on Windows were assigned administrative privileges because Starting in Windows Vista, User Account situation and unforeseen changes can be authorized by IT even when it’s not possible 4 Application control Privilege Guard’s application integrates with monitoring and challenge Control (UAC) brings together a set of IT can utilize Privilege Guard to assign rights technical changes that make it easier to run to individual processes, applications, scripts, Windows under a standard user account. batch files, control panel applets, etc. As a Fewer Windows features in Vista (and later result, if the removal of administrative operating systems) require administrative privileges from users’ accounts causes a privileges; Protected Administrator (PA) legacy application to stop functioning accounts remove administrative privileges correctly, or notebook users can no longer Whether you choose the Group Policy or ePO most of the time, requiring users to confirm perform a maintenance task, the required (ePolicy Orchestrator) Edition, Privilege Guard the use of admin rights in an elevation prompt rights are transparently added to the required can streamline your efforts to remove in some scenarios. However, UAC is a process according to centralized policy set administrative privileges from end users on consumer-orientated technology which by the IT department. PCs and servers. Removing administrative denies organizations the control to manage security effectively and meet compliance mandates. response authorization features. Reducing the cost of SOX compliance privileges is required for SOX compliance 1 Monitoring privilege use and for the wider aim of delivering an Privilege Guard can monitor PCs and effective security strategy. Least privilege is servers to determine which applications and one of the most effective measures that can Application control processes are being used and what be taken against malware, helping to reduce Windows XP introduced basic privileges are required to run them. Gathering downtime related to unwanted configuration application whitelisting in the form of this data in advance reduces the chances of changes, and improving productivity. Software Restriction Policies (SRP). SRP is users experiencing problems when difficult to implement and manage, thus administrative rights are removed by ensuring About the Author preventing its widespread adoption. Microsoft that application and process compatibility Russell Smith is the author added AppLocker to Windows Vista, a with standard user accounts is known before of Least Privilege Security replacement for SRP that provides more least privilege is deployed. 2 for Windows 7, Vista and XP flexibility, the ability to scan the OS for installed software and automatic rule creation. published by PACKT, which 2 Custom messaging includes details about the applications of Unlike UAC elevation prompts, Avecto’s Privilege Guard software for While AppLocker is an improvement over Privilege Guard messages can be customized Windows least privilege management. Smith SRP, it can’t be used to manage all supported and branded. Not only is this useful for is also contributing editor for Microsoft Best versions of Windows, because AppLocker providing users with more information, but Practices at CDW’s Biztech magazine and a wasn’t back ported to XP, and it doesn’t offer helps differentiate genuine messages from regular contributor to leading industry journal the comprehensive control and automation of those that might be generated by malware. Windows IT Pro. He holds a diploma of 3rd-party application whitelisting solutions. Privilege Guard messaging also has multi- higher education from the University of lingual support. London and is a Microsoft Certified Systems Engineer (MCSE). With over 10 years 3 Least privilege security has been shown to significantly reduce virus and malware infection rates on Windows. Challenge response authorization experience securing and managing Windows One of the biggest challenges of any Server systems for Fortune Global 500 least privilege project is how to manage companies and small to mid-size enterprises, notebook users that don’t have connectivity Smith is also an experienced trainer. to the corporate network. Privilege Guard’s challenge response authorization feature lets users elevate applications or processes on Russell Smith receipt of an authorization code from IT, Americas +1 978-703-4169 UK +44 (0)845 519 0114 [email protected] Follow us on twitter Americas 125 Cambridge Park Drive, Suite 301, Cambridge, MA 02140 USA UK Hobart House, 3 Oakwater Avenue, Cheadle Royal BusinessPark, Cheadle SK8 3SR UK www.avecto.com Follow us on Google+