Whitepaper Beyond Windows XP EOL in April 2014 Securing Windows XP and Protecting from Unknown Malware Considerations for securing Windows XP Contents Executive Summary3 Introduction4 Existing Security Measures4 Microsoft Windows XP End of Life5 The Growing Market in Computer Crime 6 The Vulnerable Network6 Cyber Threats: Malware Tools of the Trade7 Trojans7 Key Loggers7 Rootkits7 Peer-to-Peer and Bit Torrent clients8 Acceptable use, user behavior, and disgruntled employee 9 Reactive Protection and Its Failings10 Locking Down Systems10 Best Practice: Beyond Reactive Protection11 Trusted Ownership Checking11 Whitelists, Blacklists, and Digital Signature Checking 12 Self-Healing12 Protecting the Registry from Unknown Malware exploitation 12 Flexible Application and Device Lockdown13 Local Administrator Accounts and Privilege Management 13 Application Network Access Control13 Security Checklist14 Mitigate Risk14 Leverage Existing Security Investments14 View and Audit All Potentially Malicious Activity 14 Reduce IT Management Costs14 Enable Compliance14 Prepare for Windows XP EOL with AppSense 15 Protect Once, Protect Forever15 The Technology16 2 appsense.com Considerations for securing Windows XP Executive Summary This guide provides helpful information to IT and business managers about the requirement for proactive desktop security and protection beyond the end of life (EOL) for Microsoft Windows XP in April 2014. The threat from malware is real, growing, and expected to explode. Experts fear thousands of unknown vulnerabilities in Windows XP still await exploitation when Microsoft stops providing security fixes and service packs as part of Windows XP EOL. In this whitepaper, we will examine how and why this threat has changed and will continue to evolve, as well as how malware writers are fighting back against antivirus software. We will provide some best practice guidelines to enterprises and government organizations looking for ways to stop the continuing infiltration of systems after Windows XP EOL. Further, we will acknowledge the necessary balance between increasing security, reducing IT administration overhead, and increasing employee productivity. In addition, we’ll explore how AppSense can help you stop malware and protect your antivirus client, while ensuring the integrity of your workstations and notebooks. AppSense solutions add value to any version of Windows and can be used to aid migrations to Windows 7 and 8. Risks: nWindows XP will become a soft target to exploit when security patches cease to be issued by Microsoft nWindows XP still has many known vulnerabilities and possibly even more unknown nSpeculation exists whether “black hat” attackers are holding back exploit code for unpublished vulnerabilities to release once EOL occurs nSimply maintaining up-to-date antivirus on Windows XP will not suffice nNetwork exploitable vulnerabilities still being found nIn the first quarter of calendar year 2013, NIST.gov published 28 network exploitable vulnerabilities affecting Windows XP nLocal 3 administrator accounts leave Windows XP desktops open to exploitation appsense.com Considerations for securing Windows XP Introduction Malware poses significant financial, legal and resource risk to an enterprise. Brand equity is also at risk through the loss of internal and customer data. Since the late 1990’s, malicious computer and network attacks have become increasingly stealthy. No longer are most attacks designed to create visible effects, such as denial-of-service or blue screen a desktop. Instead, today’s threats are silent, and quite often employ many interconnected machines - or bots - to conduct their operations. Thousands of bot networks (botnets) have appeared, creating a dark dimension to the Internet. A dimension that operates silently, may already include your organization’s devices, and could grow exponentially come April 2014. And you may not even know it’s happening. Existing Security Measures Multi-layered IT security has increased the time and complexity of administration beyond where IT managers would like it to be; yet network and system vulnerabilities continue to be exploited at an ever increasing rate. Despite continuing enhancements in perimeter security and antivirus solutions, malicious software (malware) presents an ever increasing threat to the stability and security of enterprise systems and their data. As far back as 2007, Symantec Antivirus had definitions for over one million viruses1. Since then, hundreds of thousands of new viruses and a large number of variants for existing viruses have been unleashed on the Internet, making a definition-based approach a highly reactive counter measure to identifying malware running on an endpoint device. Unfortunately, many security measures can be bypassed by user actions, especially users who have been provided local administrator privileges on their Windows desktop, whereby they, or malware can easily access and manipulate security services. 4 appsense.com Considerations for securing Windows XP Microsoft Windows XP End of Life As a mobile workforce and widespread use of the Internet and e-mail make the network perimeter less relevant, the securing of endpoints (desktops, laptops and virtual desktops) across the enterprise becomes more vital. Stopping unknown sources of attack from within and outside the organization is the next battlefield for IT security. Organizations still using Windows XP beyond its EOL need to protect against the next wave of unknown malware aimed at exploiting vulnerabilities that will not be fixed no matter how severe. (Nimda, Code Red). Most likely with XP EOL looming, the more organized and wellfunded teams of malware writers have already started creating code targeted at individual corporations and even individual users. For businesses that choose to stay on Windows XP beyond April 2014 without a support agreement risk increases significantly. According to NIST.gov1 , between January 2013 and March 31st, 2013, Microsoft released 34 high severity updates for Windows XP. Of these, 28 were exploitable via the network. Some of these vulnerabilities could be exploited even when up-to-date antivirus is in place. Antivirus is intended as a last line of defense - to detect and clean up the mess once malware has been executed and delivered its payload. Even then, many areas are outside its scope of control or ability to respond in a timely manner. A recent New York Times article shares that “…By the time [antivirus] products are able to block new viruses, it is often too late. The bad guys have already had their fun, siphoning out a company’s trade secrets...” (Perlroth, 2012)2 . Windows XP is fundamentally less secure that its successors. A Microsoft report (Microsoft, 2012)3 notes that malware infection rates of Windows XP are double that of Windows 7. Many industry watchers believe that cybercriminals may even step up their rates of attack (Sheldon, 2012)4 as EOL approaches and that “black hat” attackers may hold back exploit code for release after April 2014. The moment support patches stop for Windows XP on April 8th, 2014 a major layer of defense for the operating system disappears. Moreover, when Microsoft stops supporting Windows XP, many applications vendors will follow suit, discontinuing support and patch security for their Windows XP applications and choosing instead to allocate resources Windows 7 and 8 applications. NIST.gov, Advanced search for Windows XP vulnerabilities. Web, searched April 1st 2013 Perlroth, Nicole, “Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt”, New York Times. Web December 31st 2012. 3 Microsoft, “Microsoft Security Intelligence Report Volume 13 English”, Microsoft, Web (PDF), November 8th 2012. 4 Sheldon, Robert, “Windows XP End of Support: What are the risks for users?”, TechTarget, Web, November 2012 1 2 5 appsense.com Considerations for securing Windows XP The Growing Market in Computer Crime Roughly 10 million Americans have their personal information misused in some way every year, costing consumers $5 billion and businesses $48 billion annually. The Federal Trade Commission estimates that roughly 10 million Americans have their personal information pilfered and misused every year, costing consumers $5 billion and businesses $48 billion annually. The introduction of vast profits in this area has spawned a growing black market. Hackers and malware writers offer their services to order. Stolen data auctions move gigabytes of proprietary information. Whole botnets can be hired for specific purposes, such as massive spam email campaigns and denial-of-service attacks against e-commerce websites. As this form of crime drives the exploitation of users and machines, its extreme profitability has attracted the attention of organized crime. The power and resources it can apply to computer crime means that the tools employed are sophisticated - professionally produced and controlled. Specialists tout their skills on unadvertised websites and forums, while loose teams of cyber criminals under the control of highly organized crime syndicates deliver malware in the form of viruses, Trojans, keyloggers, and botnets. Although these don’t always rely on a system vulnerability to gain access, many do. What we are seeing is the development of a cybercrime business model. Without regular patches, Windows XP is a soft target in the digital war between IT departments and organized crime. The Vulnerable Network The ongoing evolution of cyber security threats has led many organizations to adopt a layered security architecture with different solutions protecting each level of the enterprise. This is ‘defense in depth’ strategy has significantly increased the overall complexity of IT security. When an infiltration occurs, this complexity increases the time taken to discover it and respond adequately. Often, each solution requires a different management interface to control, monitor and update. Some of the main examples of network entry points are: nAppealing nSSL websites that exploit vulnerabilities in Internet Explorer encrypted content cannot be screened on the network perimeter nSpecially nLocal written e-mails inviting users to open an attachment Administrator user accounts providing easy, elevated access for Malware nPeer-to-Peer nPublic Instant Messaging nRemovable nGames, nVideo 6 clients trading illegal, copyrighted material Media such as CDs/DVDs and USB drives screen savers and utilities that often contain Trojans and audio file downloads appsense.com Considerations for securing Windows XP Cyber Threats: Malware tools of the Trade Trojans, keyloggers, and rootkits are common forms of malware that intrusion prevention systems are designed to detect and block or disable. An ongoing challenge for IT is keeping these systems up to date since they generally rely on signatures or behavioral rules. Antivirus products, for example, use a signature database to identify threats. Even a firewall rules database may need to be altered to close a certain communications port and, of course, Windows needs to be patched regularly to remove vulnerabilities. Trojans A Trojan is a mechanism for distributing malicious code that tricks users into executing it by disguising the code as something useful such as a patch, a game, interesting video file, or important message. The most notable example of this was the Sober e-mail worm. At the height of the Sober outbreak in December 2005, it accounted for 1 in 12 e-mails. The body of the e-mail contained an apparent warning from the FBI or National High Tech Crime Unit that the recipient had been detected visiting websites containing illegal material. The victim was then directed to complete a form attached to the e-mail that infected them with Sober. Trojans continue to be one of the most common methods of propagating malware because the desktop user remains one of the least protected elements in the IT environment, especially users with local administrator privileges. 7 Keyloggers Many forms of malware contain keyloggers that steal information from machines they infect. In February 2006, Brazilian police arrested 85 people for seeding the computers of unwitting Brazilians with keyloggers that recorded their keystrokes whenever they visited their banks online. Using stolen user names and passwords, the fraud ring diverted approximately $4.7 million from 200 accounts at six banks. It is likely that the use of this form of malware will increase in the future as cybercriminals expand their trade in stolen information to industrial espionage. Rootkits A rootkit hides the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer. The term originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted “root” access. It has come to be applied to any technique or code used to conceal activity or objects in a system. The shift in the purpose of malware has meant that it is increasingly important for an infection to remain undetected as it allows the continued theft of data and the illicit usage of the victim’s bandwidth for purposes such as spam relaying. This has led to an increase in the use of rootkit functionality and a growth in its capability. There are two forms of rootkits used in Windows environments: user level and kernel level. A user-level rootkit works intercepts and subverts calls made to various application programming interfaces (APIs), which request services from the operating system. Simple ones might intercept requests being made by file system utilities, such as Explorer and command prompt, and modify the data returned. Any scanning tools that also use these APIs will be incapable of detecting this. More sophisticated versions work at lower levels, subverting requests made by user mode elements prior to being forwarded to the kernel mode elements of Windows. In this situation, no scanning tools that work in user mode would be able to detect the interference. Kernel-level rootkits are even more powerful. They work by intercepting the API calls made between the Windows kernel and the low-level operating system components it controls. This can result in the kernel being incapable of fully enumerating the contents of its local storage, for example whether its request for the contents of sectors of the local disk is altered prior to being returned. In this situation, virtually all tools used to check for malware infection would be incapable of discovering it. There are various websites and other places on the Internet that offer malware developers with code that will provide their tools with the functionality of both forms of rootkit. The use of this technology is certain to increase as malware writers look to maximize profits from selling vulnerabilities and exploits after Windows XP EOL. appsense.com Considerations for securing Windows XP Today it’s not just music, but entire movies and DVD’s which are being shared, and of course, malware. Peer-to-Peer and Bit Torrent clients In 1999, a young man named Shawn Fanning stayed awake for 60 hours to write a small piece of software called Napster. It allowed people to easily locate and copy music files from other peoples’ computers using the Internet. Peer-to-peer (P2P) file sharing was born. Today, Napster is gone, but file sharing is not. In addition to music, entire movies and DVDs are shared, and, of course, malware. Malware is often embedded into the files downloaded by the naïve user who is expecting nothing more than an album, film, or game. Unfortunately for enterprise security, this could load malware directly onto an endpoint. Peer-to-peer file sharers also consume massive amounts of bandwidth, which reduces network performance everyone. Services and systems that rely on bandwidth can slow to a crawl or fail. Clearly Internet usage needs to be effectively controlled and, while educating employees is important and necessary, it’s never enough. Companies must ask themselves two questions: nAre users able to install Peer-to-Peer and Bit Torrent clients? Unfortunately, many Windows XP users have local administrator privileges and as such have the capability to install and execute new software, in this case peer-to-peer and Bit Torrent clients. Therefore many Windows XP users may already have file sharing technologies installed on their endpoint device and possibly a large number of other non-work related applications, which provide additional routes for malware to access a Windows XP machine. nCan they identify, quarantine, and remove any infected file downloaded before it can execute its payload? Educating employees is one approach, but it’s not going to work for some individuals. Why not stop them from installing peer-to-peer applications in the first place? Unfortunately many Windows XP users have Local Administrator privileges and as such have the capability to install and execute new software, in this case Peer-to-Peer and Bit Torrent clients. Therefore many Windows XP users will already have file sharing technologies installed on their endpoint device, perhaps with a large number of other non-work related user introduced applications. These applications will provide additional routes for Malware to continue to access a Windows XP machine and exploit vulnerabilities which are no longer being addressed. 8 appsense.com Considerations for securing Windows XP CIOs and CSOs rank employees second only to hackers as the source of malicious attacks.5 The Global State of Information Security® Survey 2014 PwC, CIO magazine, and CSO magazine. “I see the insider threat looming larger in my windshield than in the past. And it’s important to note that insider threats are not necessarily a ‘bad guy’ with bad intentions; it could be a good employee doing righteous work in an insecure manner. Our problems are more human than technological.” Acceptable use, user behavior and disgruntled employees As stated, users are one of the most vulnerable parts of any computer system. Their desire to boast, assist other people, curiosity about what they see and read, and their susceptibility to suggestions make them easy targets. Even if users are cautious and only open e-mails from trusted sources or browse reliable websites, they can still become the victims of cyber-attacks. While indispensable for knowledge workers, Internet and e-mail use in the workplace pose significant risks to corporations, especially when acceptable use policies (AUPs) are ignored. For example, nearly all workers install instant messaging clients on their machines. Many download music or videos and access non work-related websites during working hours. So if AUPs are not enforced, users can knowingly or unknowingly install software or launch executables that have the potential to cause enormous damage. The EOL of Windows XP simply makes these potential breaches much more likely. Likewise, the ability for unhappy employees to compromise systems and data from within an organization should never be underestimated. The case of AOL employee Jason Smathers is a disturbing example of the damage a disgruntled employee can cause. After being disciplined, Smathers stole 92 million e-mail addresses and sold them to an email spammer, who used them and resold them. This one theft ultimately generated several billion spam e-mails. Smathers was jailed in 2005. - Michael A. Mason, Chief Security Officer for Verizon Communications 9 5 Global Statement of Information Security: CIO and PWC appsense.com Considerations for securing Windows XP Reactive Protection and Its Failings Most security experts agree that it’s sensible to use multiple layers of protection against security threats. But this leads to the management complexity we’ve already discussed, which also includes the time and expense for training and accreditation in product use. What’s more, reactive solutions only protect against what is known. But most new malware is unknown code. For example, antivirus protection. A threat has to be observed and studied before a signature can be released for it. In addition, sophisticated malware can pass through antivirus cleaning. Beyond antivirus, commonly used reactive enterprise security measures include: nAnti-spyware nE-mail filtering nIntrusion nContent Prevention filtering By definition, reactive protection cannot prevent zero-day attacks because they exploit previously unknown vulnerabilities. And no matter how fast technology vendors respond, it’s never fast enough if your organization is under attack. This ‘window of vulnerability’ is what keeps CTOs up at night. # of systems infected > Window of Vulnerability: ILIT AB ER Y LN F IN W DO W VU O Cost to your organization Time Virus Released Virus Discovered Signature Authoring Begins Signature Completed & Updated Distribution Update Installation Tested of Update Commences > Locking Down Systems There are various measures intended to protect vulnerable users and endpoint machines. For a long time, perimeter security provided this protection. Over time, attackers have become adept at penetrating the perimeter and targeting attacks directly at users and their applications. Mobile computing has exacerbated this. A corporate firewall can’t protect laptop users when they’re mobile. The response from the security industry has been to lock down user machines to limit and mitigate the risks posed by application and user-level attacks. This has proven to be problematic, even after the introduction of tools such as group policy. Gartner Group estimates that while more than 60 percent of organizations want to enforce desktop lockdown, 20 percent of enterprise desktops and fewer than five percent of laptops are locked down today6 . Among the reasons for this low rate are concerns about usability. There are many scenarios where users require local administrative rights to work effectively. Many applications allow changes to hardware settings or network adapters and all of which require administrative privileges to execute. This also includes web application updates, the installation of Active-X components, Adobe, Flash, and Java updates, printer drivers. Yet administrative access leaves the desktop vulnerable to malware. When Microsoft officially enforces Windows XP EOL in April 2014, a window of vulnerability will stay open indefinitely. 10 Gartner Report: Windows Application Control (G00137032) 6 appsense.com Considerations for securing Windows XP Best Practices: Beyond Reactive Protection It’s clear that enterprises and government organizations need to reimagine their security environments in a broader context and balance those priorities with more efficient IT management. For the purpose of establishing best practice guidelines, it is useful to look at three categories of application-level change: known bad, known good, and unknown. User Installed Applications Business Consumer Trusted Ownership User Personalization; User settings, profiles, scripts, policies IT Delivered User Apps IT >> User Apps Packaging (MSI/Application Virtualization) Departmental Applications Business Unit >> IT OS Master / Golden image Strategic Applications Business >> IT >> Users Base Applications ‘Baked’ in the OS Desktop image Unknown Pro Active Allow Whitelist Anti Virus, Blacklist Anti Spyware, Firewall Application types Block Known Good Pro Active Known Bad Reactive Allowed Blocked Control and Protection Securing applications from malicious activity has predominantly concentrated on the known bad. With that in mind, the following section summarizes proactive security best practices. Trusted Ownership Checking Trusted ownership checking automatically protects systems without complex configuration and constant management. It can block unknown spyware, malicious mobile code and other web-based threats, including executable viruses, Trojans, worms, keyloggers, script attacks, and rogue Internet code. Trusted ownership checking provides enterprise-wide protection inside and outside the corporate network, adding a valuable layer of security for a mobile workforce. It prevents 100 percent of user-introduced, unauthorized applications, preserves the integrity of gold-build images, and increases user productivity by refocusing resources on business applications. It examines the NTFS owner of an application prior to execution. If the application is from a ‘trusted owner,’ anyone is allowed to execute the application. If not, no one may execute the application. A predetermined list of trusted owners quickly determines which applications are unwanted. By default, only domain administrators are trusted, which ensures only applications installed by IT are allowed to run. A trusted owner list can be extended as required. 11 appsense.com Considerations for securing Windows XP Whitelists, Blacklists, and Digital Signature Checking Whitelists guarantee only known and trusted applications can execute on a system, which means they block the unknown; blacklists protect only against known threats and problem applications. Digital signature (electronic fingerprint) checking ensures that applications and files installed on a system remain unaltered, preserving system integrity and lowering maintenance costs. Digital signatures are the ultimate identify check for an individual file. If one bit of a file is changed, the digital signature also changes. For advanced security, this method assigns SHA-1 digital signatures to applications and files and checks them against black or whitelists. Modified or spoofed applications are prevented from executing. However, digital signatures can bring high management overhead as new signatures need to be taken each time a file is updated by means of a service pack or patch. Self-Healing Even though trusted ownership checking will prevent the execution of unknown applications, scripts or malware, self-healing technology can correct unauthorized changes to retain a systems desired state. Automated monitoring and self-healing systems can increase security, lower costs, reduce complexity and take much of the manual labor out of managing IT systems - minimizing the business impact of security or system failures. Self-healing technology automatically protects and repairs essential elements of the system and users’ environment. For instance, if a user deletes important configuration settings in the system registry or removes vital files, this can be automatically corrected. The ability to ensure that computer and user settings are restored to their original state in the event of a system failure or unauthorized changes is a major advantage in today’s hostile environment. A wide range of items, from processes and services, to files and registry, can be self-healed. Protecting the Registry from Unknown Malware exploitation Key areas of the registry, such as the list of programs set to run at user logon, can be set to always be in a known good state. If any malware does configure itself to launch at logon, this self-healing functionality will have removed the call to execute at logon - even though trusted ownership checking will have prevented the execution of the file itself. Similarly, there is also a list of per-user processes configured for launch within the user’s profile that can be hijacked by malware and this can be protected with self-healing. Self-healing can be used to guarantee that critical applications, such as security software, always run, providing additional protection against the threat of Trojans, worms, and spyware. If users had the ability to disable their anti-virus programs (a common practice for users who have heard that anti-virus degrades performance), their entire desktop session will be unprotected until they logoff and back on again. Self-healing can be used to ensure that if these processes terminate for any reason, they are immediately launch again. 12 appsense.com Considerations for securing Windows XP The perfect balance between user productivity, security and lower desktop TCO is to control user privilege at an application or individual task level. Flexible Application and Device Lockdown Administrators are looking to strip out unwanted functionality from third-party software either for security reasons (i.e. protection of confidential data and removal of potential security loopholes) or to reduce the level of complexity for the end user. Lockdown actions can be used to hide or disable user interface controls and block keyboard shortcuts for all, or specific applications. Behavioral containment of this kind can also extend to all modes of removable media, including USB drives to limit the threat of infection and confidential data loss. Local Administrator Accounts and Privilege Management Improper privilege management control creates undue business risk and significantly adds to support costs. Giving users administrative privileges also creates legal and liability issues and makes compliance with guidelines such as Sarbanes-Oxley, HIPAA, COSO and FERPA difficult to accomplish. The perfect balance between user productivity, security and lower desktop TCO is to control user privilege at an application or individual task level. By making sure users have only elevated privileges for the applications, processes, or tasks that need them, enterprise TCO falls and managing end points becomes easier with fewer support calls. Users can still do everything they need without introducing security vulnerabilities. Application Network Access Control Application network access control (ANAC) intercepts and blocks requests made to prohibited network resources and controls outbound network connections by IP, host name, URL, UNC, or port based on the outcome of rules processing. It prevents user or malware from accessing network resources by controlling network access without complex controls such as routers, switches, and firewalls. Process rules enable outbound network access to be determined by the specific process, i.e. different applications can have different restrictions. Process rules allow IT to determine what processes (children) can be run by the application (parent). This can prevent malware from accessing the corporate network from an infected machine. 13 appsense.com Considerations for securing Windows XP Security checklist When looking to source new security solutions, ensure they can deliver the following benefits: Mitigate risk Stop all unauthorized applications through proactive protection resulting in more robust security policy enforcement and less reliance on vulnerable and reactive security systems. Eliminate local administrator accounts and utilize a privilege management solution to increase security and reduce risk. Leverage Existing Security Investments Add to any existing security systems in a way that helps them maintain their integrity through automatic self-healing to ensure that they are always operational. View and Audit All Potentially Malicious Activity Get a true picture of what is really going on at the application level of all endpoints, with instant alerts to inform of any attempted breach. Audit and report at a granular level. Reduce IT Management Costs Reduce reliance on roaming profiles, patching, and system updates via self-healing, and application and system hardening - decreasing administrative tasks and lowering support costs. Enable Compliance Increase visibility into endpoint behavior with report and auditing capabilities that enable compliance. 14 appsense.com Considerations for securing Windows XP Stop zero-day attacks. Stop patching chaos; well, there won’t be any patches available... ...With one, easy, proven solution Prepare for Windows XP EOL with AppSense Protect Once, Protect forever It’s also common for users to introduce unwanted applications like games or peer-to-peer utilities, which often contain spyware to harvest e-mail addresses and other information. The AppSense trusted ownership mechanism stops these applications from running, preventing data loss. AppSense is licensed on a per-user basis, which means when you’re ready to migrate to Windows 7 or 8, the technology can be used again to continue protecting your users, their desktops, and your data, increasing return on investment. AppSense has helped, and continues to help, many organizations migrate to Windows 7 - significantly reduce the cost, time and complexity of the migration. To learn more about how we can help your organization migrate to Windows 7 or 8, please visit appsense.com. AppSense desktop security solutions provide centrally deployed, enterprise-class protection Windows endpoints that stops all unknown and unauthorized executables. Unknown threats cease to be a problem, and so does your lack of Windows XP updates, patches, and hotfixes. For example, many viruses are e-mailed to users using attachments. If they receive an e-mail with a virus attached and they click on the attachment, AppSense prevents it from executing. There is no need to worry about what the virus is; no need to identify it and wait for a signature to be produced. Whether it’s well known or the latest, newly released malware, it‘s stopped. AppSense is true protection from the unknown, including zero-day threats. More effective than an intrusion detection system, it stops intruders in their tracks. Hacking tools don’t run. Trojans don’t give unauthorized backdoor access. And spyware cannot send out your business critical information. It also stops executable viruses from inflicting any damage and infecting other systems, while anti-virus vendors catch up with its specialized detection signature. AppSense provides security professionals with a whole new range of tools and options they can use to ensure system integrity and secure vulnerable endpoints. It augments firewalls, intrusion detection systems, and anti-virus clients as it helps IT administrators: nReduce nEnsure compliance nMaintain nEnforce systems in desired state Licensing nDecrease nLower 15 security risk IT management complexity desktop TCO appsense.com Considerations for securing Windows XP The Technology The AppSense approach, which has been designed to meet public sector and intelligence agency standards, is a revelation for anyone who has had to spend weeks configuring options on a new solution. It requires virtually no configuration; protection is nearly immediate. AppSense comes with its own centralized deployment technology that can work independently or as part of an Active Directory implementation. This effectively eliminates the need to visit individual computers. Once in place, AppSense logging and reporting is centralized so administrators have a clear picture of user activity. After the AppSense agent is installed, its kernel-level driver intercepts all requests to execute files and prevents unauthorized applications from starting via AppSense trusted ownership checking. If the NTFS owner of an application is not a trusted owner, the application is unauthorized and it’s execution prevented. If more granularity is required for specific applications or users, AppSense Application Manager can allow or block applications based on rules you define. This can be done by placing either the executable’s location or its digital signature into a whitelist or blacklist. These additional rules can be applied to individual users, specific machines, or to groups extracted from Active Directory. If you’re unsure whether you have a problem or are concerned about the effect of blocking unauthorized executables, AppSense offers the unique ability to passively monitor the files users execute without alerting them. It creates an audit trail of all applications you haven’t authorized and gives you true visibility into what is happening, without impacting business processes. To learn more about AppSense, call us at 866. 277 7367, email [email protected], or visit us on the web at appsense.com. 16 appsense.com Considerations for securing Windows XP 17 appsense.com appsense.com Twitter: @appsense email us: [email protected] USA AppSense, Inc. 17 State Street 19th Floor New York, NY 10004 USA T +1 212 597 5500 [email protected] 100 Mathilda Place Suite 200 Sunnyvale California 94086 USA T +1 408 343 8181 [email protected] United Kingdom AppSense Ltd 3300 Daresbury Business Park Daresbury Warrington, WA4 4HS United Kingdom T 0845 223 2100 [email protected] 100 Longwater Avenue Green Park Reading RG2 6GP United Kingdom T 0845 223 2100 [email protected] Australia AppSense Sydney Level 33, Australia Square, 264 George St, Sydney, NSW 2000 Australia T +61 (0) 2 9258 1862 [email protected] France AppSense France 17 Square Edouard VII, 75009 Paris T + 33 01 53 43 5148 [email protected] Germany AppSense GmbH Werner-von Siemens Ring 17 85630 Grasbrunn/München Deutschland T +49 89 559 9970 [email protected] Netherlands AppSense Benelux Ltd Entrada 501 1096 EH Amsterdam The Netherlands T +31 20 3701282 [email protected] Nordic region AppSense AS Tærudgata 1 2004 Lillestrøm Norway T +47 41 43 23 30 [email protected] © 2013, AppSense Limited. AppSense is a registered trademark of AppSense Limited in the US, UK and other countries worldwide. All rights reserved. All other trademarks are the property of their respective owners. The information in this document is believed to be correct at time of printing but no representation or warranty is made as to its accuracy or completeness.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project