Desktop security strategy
Request a quote/Contact me
Desktop security can sometimes become a compromise between ensuring the desktop environment is secure & providing necessary desktop services to the business.
However, with careful planning & direction from the business of it's requirements, this need not be the case. It will require investment in designing the security
on your machines.
Ideally, to be secure the computers should not be logged onto with local administration rights. Granting users "User" rights can cause some issues, however,
and you should expect to invest time on some applications that simply do not function correctly. A very simple example of this is Microsoft Photo Editor which is installed
along with Office <=2003. When opening an image, MS Photoed needs to read graphics filter information from the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Graphics Filters),
but for whatever reason the application tries to open the "Export" key with CreateKey access. For this application to run correctly you'll need to grant the
"Users" group write access to this key. Ideally, these permissions are dealt with during application repackaging
That said, it's worth every amount of effort you put in. As mentioned in Internal Security and
Antivirus Planning, users not requiring local administration rights on the machines is the most critical step to desktop security.
A strong acceptable usage policy is critical to desktop security. This again will be driven by the business & what it needs to achieve. For most companies, this policy
would include, for example, a policy prohibiting storing copyright protected music on the company computers to avoid potential legal issues. If the company was in the music industry though,
this policy would not be part of the acceptable use policy.
Citrix type platforms are one way of ensuring security on the desktop. Using Citrix (or other Terminal type applications) means that access to the desktop OS is simply not necessary.
It's possible to lock down access to removable media devices if necessary, since under this platform it is not required. Application conflicts are dealt with once for all users.
Deploying the software to a desktop is a matter of simply assigning it to the user. It's also possible to deploy thin clints rather than full desktop clients.