Google has just launched a new version of Google Frame – a plug-in designed for Internet Explorer based on the open-source Chromium project. Unfortunately, it presents a significant problem for IT departments, in that users can install the plug-in even if they don’t have Administrator Rights on their desktop. Now, I am not picking on Google in this blog, but using Google Frame as an excellent example of how unauthorized and unknown software can easily enter corporate desktops that are only protected by managing and blocking ‘known’ code and software.
Back to Google Frame, A comment on the Hacker News site sums this up nicely saying:
“Yay for clever technical hacks that help users circumvent ossified IT bureaucracy. But I’m a little astonished that this is possible. They’re running a second process that detects new instances of IE starting up and injects Chrome Frame into them. Doesn’t that make a mockery of “admin rights”?
Fair comment indeed… but those Admin rights are often there for a reason – to protect the desktop, the data and the user from unknown software. Google isn’t doing end-users any favours by circumventing established security protocols – it will just encourage IT departments to try and lock down desktops even further.
According an insightful article from Cade Metz, at The Register: “Google is well aware of this. But the company says that if admins don’t like it, they can use separate Google admin tools to stop it from happening.” But that assumes IT admins are aware of the issue, and the separate Google admin tools in the first place, in order to control it .. ouch?!
My thought here is – you only know what you know, you don’t know what you don’t know – Making some aspects of managing the desktop for some IT departments, especially in this case, a reactive, firefighting process.
My question therefore is – How can you control, manage and protect against the unknown?!
The answer to my question and for AppSense customers concerned about this issue, I’m happy to confirm that this is something automatically handled out of the box by Application Manager – One of the requirements of a User Virtualization solution is to dynamically and automatically control application entitlement and the ability to control what a user can introduce and execute into their desktop environment. For over 10 years Application Manager has been protecting millions and millions of corporate desktops around the world, AppSense will recognise any attempt by the user to install or run any unknown or unauthorized piece of software, even a plug-in and block it unless permission has been given.
AppSense User virtualization achieves this with a kernel level filter driver within the Windows operating system. This filter intercepts all execution requests, whether known or unknown software, scripts, DLL’s etc, prior to an application or code actually launching or executing, to determine if the request is to be authorized or prohibited. Any unauthorized requests are blocked and the user receives a message, configurable by the administrator, stating that execution has been denied. Authorization or denial can be manged in a number of ways:
AppSense Trusted Ownership: Managing the Unknown
Protect the system without complex lists and constant management. Only code installed and owned by ‘trusted owners’ is allowed to execute. By using this method, current application access policy is immediately enforced ‘out of the box’ without the need for scripting or list management. In this case, Google Frame would be prevented from running the installation and the application is blocked automatically, even though the code itself is unknown to the IT department! – Problem Solved. (note – The trusted owners list can be extended to suit any environment or content directory infrastructure.)
White & Black List Configurations: Granular Management of the Known
White & black List configurations can be used in conjunction with Trusted Ownership to control known applications which pass the NTFS owner check. Applications that users should not have access to such as administrator owned tools like cmd.exe or ftp.exe are automatically denied. Or, create white lists to guarantee only known and trusted applications can
execute on a system.
So… there we have it, while vendors are developing software that can bypass desktop controls and enter the corporate desktop environment, and unknown (malware) threats challenge our IT departments, there is a solution available in the form of AppSense User Virtualization.
If anyone has any further specific thoughts or questions about Google Frame, any other ( potentially unknown) applications or User Admin Rights, then please do share them here on the AppSense blog – as ever we love to hear what the community has to say.
Hope this helps, and keen to hear your thoughts…