Arming administrators with full client control

We’ve been using various versions of the FullArmor software since the mid-1990s, mostly to combat the problem of users (often students) modifying the machines at their desks or in university computer labs. These early versions allowed us to lock down each workstation so that malicious or ignorant users weren’t able to trash their machines. Well, things have evolved.

Think of all the hassles surrounding the design of a standard desktop configuration image. Designing a standard software library is easy enough using something such as Symantec’s Norton Ghost, but in this day of compliance bogeymen (otherwise known as lawyers), most IT managers must exercise even more control.

That’s where FullArmor’s IntelliPolicy for Clients shines. From a security standpoint, the product does a solid job, making short work of controlling admin-level passwords as well as providing lock-down capability for peripheral device access, notably USB devices. On the application side, IntelliPolicy addresses a problem that as administrators we’ve wrestled with longer than we want to remember. The trouble concerns many a legacy application (or even some badly designed “modern” ones) that require even casual users to log on to their systems with administrator-level access, a practice that can throw a monkey wrench into an otherwise carefully designed security policy.

IntelliPolicy combats unnecessary admin-level access by allowing true administrators to assign those rights to regular users one app at a time. In effect, users get administrator access but only within the specific application that requires it. Outside that app, they’re dropped back to their appropriate access levels, making administrators happy and keeping the compliance cretins at bay.

Outside security, we wind up at IntelliPolicy’s original reason for being: desktop configuration. The tool is exceptionally granular in this regard, allowing repeatable control of activities such as defining mapped drives, scheduled tasks, printer mappings, and automatically deployed desktop files or folders. All of this control is accomplished using Group Policy settings.

Installing IntelliPolicy was surprisingly easy. Our download-based installation file took only a few minutes to install, and most of the useful functionality integrated directly into Windows Server 2003’s Group Policy Manager. When managing clients, the software distributes as Microsoft installer scripts (.msi packages). The only requirement here is that all clients receiving the scripts must have a common shared directory on a file server.

The feature that we were dying to test out immediately was IntelliPolicy’s control of USB peripherals. In our work with security-conscious corporations and government agencies, controlling USB-based data theft has always been a big concern. Could FullArmor provide the administrator-based control of USB access we’ve been looking for?

Defining what IntelliPolicy calls “USB input-output only” functionality is a wizard-driven process that takes only a few minutes — unless you’re unprepared. Simply activate the wizard, indicate that you’d like USB access disabled within this configuration, and then enter the registry values that control the USB device library. If that just raised your eyebrows, no, we’re not kidding. You must know these registry values in order for IntelliPolicy to do its work. It’s a real posterior pain the first few times, but after you’re familiar with the process (and the registry values), you get fancy. It’s possible, for example, to input values that disable anyone trying to insert a USB thumb drive, while still maintaining the functionality of USB mice or keyboards.

Overall, IntelliPolicy for Clients is a powerful Windows administration tool designed to make that job easier, faster, and more effective. There’s still room for improvement in terms of ease of use, but FullArmor is light years past attempting the same functionality using Windows Server 2003’s native tools. If you’re willing to take a bit of time to learn the registry tweaks, this product can give you unparalleled control of your workstations without diving into the deep end of a costly and complex compliance management system.