Beyond Compliance: Combating Threats
with Endpoint Configuration
Management
Written by Randy Franklin Smith
Commissioned by Lumension Security, Inc.
© 2012 Lumension Security, Inc. and Monterey Technology Group, Inc.
Contents
Executive Summary ................................................................................................................................................................ 3
Business Drivers ..................................................................................................................................................................... 4
Endpoint Focus of Today’s Threats .................................................................................................................................... 4
Compliance Mandates Specific to Workstation Configuration .......................................................................................... 4
Federal Desktop Core Configuration ............................................................................................................................. 4
Office of Management and Budget M-06-16 Mandate ................................................................................................ 4
Payment Card Industry Data Security Standard ............................................................................................................ 5
Other Compliance Guidance ......................................................................................................................................... 5
Top Priority: Endpoint Security.......................................................................................................................................... 6
Key Technical Issues ............................................................................................................................................................... 6
Workstation Security is Important and Very Different than Server Security..................................................................... 6
Configuration Management is the Foundation of Endpoint Security ................................................................................ 7
Group Policy: An Important Part of the Solution ............................................................................................................... 8
Where Group Policy Works: Core Configuration .......................................................................................................... 8
Security Filtering ....................................................................................................................................................... 8
Results and Modeling Wizards ................................................................................................................................. 9
Auditing .................................................................................................................................................................. 10
Import/Backup/Restore Operations ....................................................................................................................... 10
Where Group Policy Stops .......................................................................................................................................... 11
1. Unsupported Security Settings ........................................................................................................................... 11
2. Managed Execution of Custom Scripts ............................................................................................................... 12
3. Reporting and Validation .................................................................................................................................... 12
Configuration Management: Only One Piece of Endpoint Security................................................................................. 13
Solution: Lumension® Endpoint Management and Security Suite ....................................................................................... 13
Configuration Management ............................................................................................................................................ 14
Policy Assessment and Enforcement .......................................................................................................................... 14
SCAP Validated FDCC Scanner ..................................................................................................................................... 15
Visibility and Reporting ............................................................................................................................................... 15
Content Wizard ........................................................................................................................................................... 16
Beyond Configuration Management: Comprehensive Endpoint Management and Security.......................................... 17
Conclusion ............................................................................................................................................................................ 18
About Randy Franklin Smith ................................................................................................................................................. 19
About Lumension ................................................................................................................................................................. 19
Disclaimer ............................................................................................................................................................................. 19
Executive Summary
The risks to organizations are more dangerous than ever as attackers focus their efforts on the endpoint. In
the past couple years we have seen well known businesses suffer huge losses of intellectual property and
goodwill because of attacks that began at the endpoint. As these risks continue to rise, regulators are
responding with increased compliance mandates that go deeper and are more prescriptive. Organizations
cannot afford the penalties of non-compliance, much less the real losses and costs associated with security
breaches. These factors create a powerful business driver for making endpoint security the number one
priority for information security today.
Workstation (laptops, desktops, etc) configuration management is the foundation of endpoint security. All
other endpoint security technologies that run on the operating system (OS) – such as antivirus, patching,
encryption and application control – can be compromised or circumvented if the OS itself is insecure.
But a common misconception persists that security on workstations is less important than on servers, with
more simple security requirements. Workstations are, in fact, a critical part of the overall trusted computing
base within an organization just like servers, storage devices and routers. Any computer, regardless of who it
belongs to or what data is present on it, can serve as a beachhead from which attackers move deeper into an
organization.
Most endpoints are Windows workstations in an Active Directory (AD) domain. This allows administrators to
use Group Policy to configure many of those computers settings. However, certain limitations in Group Policy
prevent it from delivering comprehensive configuration management. To help address these issues,
organizations should mature their use of Group Policy to leverage advanced features like security filtering,
modeling wizards, change control and audit. However, even with these advanced capabilities, Group Policy
does not constitute a comprehensive endpoint configuration management solution. Organizations are still
faced with unsupported security settings, how to manage the execution of custom scripts, and a lack of
visibility and reporting.
Lumension® Security Configuration Management (SCM) works along with Group Policy to fill these remaining
gaps by providing independent validation of security configuration against industry standard baselines.
Lumension® Endpoint Management and Security Suite (L.E.M.S.S.) actively tracks policy enforcement on each
endpoint and provides deep visibility into all exceptions and policy enforcement failures. L.E.M.S.S. fills the
gaps in group policy with a powerful wizard-based facility that simplifies the management of custom
configuration and script execution.
But configuration management is just the first layer of endpoint security. Multiple additional technologies
must be deployed to address the wide-ranging threats affecting endpoints in particular and there are too
many such technologies to use a piecemeal approach that combines numerous point solutions.
Correspondingly, Lumension® Security Configuration Management is just one piece of the overall Lumension®
Endpoint Management and Security Suite. Lumension® Endpoint Management and Security Suite combines
all of these technologies into a single, integrated solution that provides comprehensive endpoint security,
while maintaining an productive end-user experience and preserving efficiency within IT.
Business Drivers
Workstation security and configuration management is more important than it ever was. Endpoints are
more powerful than ever and locally store copies of more sensitive data. Moreover, today’s attackers
target workstations more than ever. In this section we will explain why the workstation is the initial,
tactical target of today’s attackers and explore the compliance regulations that authorities are
developing in response.
A compromised endpoint provides a beach-head within the
organization from which the attacker can then use a variety of
Endpoint Focus of
Today’s Threats
After years of focus on the
server and perimeter,
workstation security has reemerged as the weak link in
today’s organization. Attackers are more sophisticated than ever in the history of computers. Today’s
attacker is financially or politically motivated and can draw on the resources of a large organization and
an ecosystem of malware vendors and botnet providers. While their strategic aim may require much
deeper penetration within the targeted organization’s network, any endpoint presents a very desirable
target from a tactical point of view because:
methods that tend to fly under the radar.
1) A compromised endpoint provides a beachhead within the
organization from which the attacker can then use a
variety of methods that fly under the radar.
2) Endpoints are especially vulnerable due to the direct
interaction with end-users and the processing of large
amounts of content from the Internet.
Compliance Mandates Specific to Workstation
Configuration
Endpoint
Focus of
Today's
Attacks
Desktop
Compliance
Mandates
Priority 1:
Endpoint
Security
As privacy concerns intensify and exposures of confidential data
mount, governments and other regulatory bodies are recognizing
that the endpoint is the first place to start. The response is a growing number of compliance mandates
that specifically address workstation security configuration.
Federal Desktop Core Configuration
The Federal Desktop Core Configuration (FDCC), developed by the National Institute of Standards and
Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS),
provides a set of security configuration standards by which all federal agencies must adhere to as
mandated by the Office of Management and Budget (OMB).
Office of Management and Budget M-06-16 Mandate
The OMB M-06-16 Mandate requires agencies to establish safeguards for sensitive agency data on
laptops and workstations. To achieve compliance with the M-06-16 Mandate, agencies must enforce
security measures that safeguard the integrity and availability of sensitive agency information at the
endpoint.
Payment Card Industry Data Security Standard
The continuation of massive credit card data breaches at many high profile organizations prompted the
development of the Payment Card Industry Data Security Standard (PCI DSS), which standardizes how
credit card data should be protected.
To achieve compliance with the PCI DSS, vendors and service providers must adhere to six major
categories of requirements, with a total of twelve PCI-required controls, covering access management,
network security, incident response, network monitoring and testing and information security policies.
Unquestionably, PCI DSS includes workstation configuration management because it designates a
cardholder data network (CDN) that encompasses all components that come into contact with
cardholder data, either at rest or in transit. This includes all workstations and other endpoints that
process cardholder data or connect to such system.
Other Compliance Guidance
There are a myriad of other compliance mandates which organizations must be aware of, depending on
their industry and jurisdiction. In addition, there are a number of useful guidelines which may help
organizations meet their cybersecurity obligations. Here are a few to consider:



1
Data Protection laws on a pan-national level (e.g., the EU Data Protection legislation1), national
level (e.g., the UK Data Protection Act2) or state level (currently, 49 US states and territories
have data breach notification laws3). Be aware that some of these extend their reach beyond
their natural borders; for instance, the Massachusetts data protection law (MA 201 CMR 17)
pertains to all organizations holding sensitive personal information on any resident of the
Commonwealth.4
US Federal configuration guidelines from the National Institute of Standards and Technology
(NIST) such as SP 800-53 (entitled Recommended Security Controls for Federal Information
Systems and Organizations)5 and FIPS 200 (entitled Minimum Security Requirements for Federal
Information and Information Systems)6 might be useful to non-governmental organizations as
well.
Other guidelines such as the Critical Security Controls (fka the Consensus Audit Guidelines) from
the SANS Institute7, SSAE 16 (which replaces the old stalwart SAS 70), COBIT, and so on.
See http://ec.europa.eu/justice/data-protection/index_en.htm
See http://www.legislation.org.uk/
3
See http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx
4
See http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
5
See http://csrc.nist.gov/publications/PubsSPs.html
6
See http://csrc.nist.gov/publications/PubsFIPS.html
7
See http://www.sans.org/critical-security-controls/guidelines.php
2
Top Priority: Endpoint Security
In the past couple years we have seen well known businesses suffer huge losses of intellectual property
and goodwill because of attacks that began at the endpoint. Regulators are responding with increased
compliance mandates that go deeper and are more prescriptive. Organizations cannot afford the
penalties of non-compliance, much less the real losses and costs of security breaches. These factors
create a powerful business driver for improving endpoint security. In the next section we will discuss the
key technical issues concerning workstation configuration management and its essential role in endpoint
security.
Key Technical Issues
Workstation configuration management is the foundation of endpoint security. All other endpoint
security technologies that run on the OS (e.g., antivirus, patching, encryption, application whitelisting)
can be compromised or circumvented if the OS itself is insecure.
Most endpoints are Windows workstations in an Active Directory (AD) domain, allowing administrators
to use Group Policy to configure many of those computers settings. However, certain limitations in
Group Policy encourage a “set and forget” approach to workstation configuration, which fails to address
today’s risks and compliance regulations. We will explore these important gaps later in this section, but
first let’s consider a more fundamental issue.
Workstation
Security
Server
Security
Workstation Security is Important and Very Different
than Server Security
Workstations cannot be treated like servers; they require a very
different configuration to match a very different use case. Servers are
configured to sit “headless” in a computer room and service transaction
requests over the network. As such, servers must be hardened at the network layer, and access control
within file system and other resources are critical. On the other hand, with a few exceptions for remote
management connections, workstations can flatly refuse inbound connections.
Going back to servers, except for thin-client systems, the only interaction at the GUI level that servers
have is with IT professionals. In contrast, workstations constantly interact with end-users who typically
have less security awareness and directly process content from the Internet like emails, documents,
images, html, flash, java and other types of rich content.
The type of exploits and the hardening techniques required in response are very different. For example,
on servers you need to close all unneeded ports and patch remaining services against buffer overflows.
On workstations, malicious network-based attacks attackers should be easily rebuffed by the
workstation firewall with a very simple configuration. On the other hand, workstations must be patched
against an unending list of content-based exploits, such as malformed images or malicious flash content
embedded in an Excel spreadsheets. These are vulnerabilities to which most servers are not exposed if
basic best practices are followed, such as not browsing the web.
Another difference lies in the service window characteristics encountered with workstations and
servers. On servers, your opportunity to patch and remediate should be as short as possible, occur on a
predictable basis and in general be very controlled. Whereas workstations typically do not have a
particularly regular usage pattern and there may be more flexibility in the scheduling of patch and
remediation. On the other hand, the availability/connectivity of mobile laptops is quite unpredictable
compared to servers. Laptops are often disconnected from the corporate LAN for weeks or even
indefinitely making web-based management very desirable.
The lack of awareness on this distinction between workstation and server security is at least partly due
to a lingering misconception, dating back to mainframe days, that workstations are not as important to
security as servers are. Workstations are in fact a critical part of the overall trusted computing base
within an organization, just like servers, storage devices and routers. After all, the organization’s
information is in motion and/or at rest on all of these components. An attacker that compromises a
server, device or workstation can steal or tamper with any information with which that component
comes into contact.
Today it is the exception to find a workstation or laptop without sensitive data on it because so many
applications, such as Outlook, SharePoint, and CRM systems, store corporate data on local workstations.
But even a workstation assigned to the lowliest member of an organization constitutes an important
tactical target to attackers. This is true because any computer, regardless of who it belongs to or what
data is present on it, can serve as a beachhead from which attackers move deeper into an organization.
This very fact was demonstrated in the notorious attack on RSA last year. A mere handful of low level
employees were targeted by a malicious email which allowed attackers to gain control of their
endpoints. Having established a beachhead on one of the employee’s computers, the attackers moved
out from there to gain access to apparently extremely sensitive and proprietary data about RSA SecurID
product technology that had far reaching consequences for RSA and its customers.
Configuration Management is the Foundation of Endpoint Security
As established earlier in this paper, endpoint security is more important than ever. But endpoint security
encompasses so many different risk vectors and technologies such as:








Disk encryption
Data leakage prevention
Patch management
Anti-virus
Application whitelisting
Firewall
Device control
Port control
With so many aspects to
endpoint security where does
an organization begin? Fundamentally, all of the above endpoint security technologies are simply
applications running on an OS. One of the fundamental laws of computer security is that an application
is only as secure as OS upon which it runs. Therefore, configuration management is the foundation of
endpoint security.
Configuration management is the first step in coming to grips with today’s endpoint security crisis. So
organizations need to be able to centrally mandate strong and consistent security configuration
standards to all endpoints so that additional layers of endpoint defense can be built on top of that solid
foundation.
Group Policy: An Important Part of the Solution
Thankfully Windows endpoints have a powerful technology to help automate configuration in the form
of Group Policy. Organizations with Windows endpoints belonging to an AD domain should use Group
Policy to perform the core configuration. We will consider several features of Group Policy that are
important to understand and use in order to manage endpoint security effectively.
While Group Policy is powerful, it is not intended to be a comprehensive configuration management
solution. We will identify three areas of configuration management not addressed by Group Policy.
Where Group Policy Works: Core Configuration
Group Policy is an effective and flexible technology for defining the hundreds of settings that comprise a
Windows configuration state. Not only does Group Policy support almost every setting in Windows, the
application of a Group Policy Object (GPO) is embedded deep within the Windows OS so that it is very
difficult for administrators to override and for all practical purposes impossible for end-users to
circumvent. Within minutes an administrator can create one GPO that configures hundreds of settings
on thousands of computers.
However, Group Policy must be used carefully and effectively because it can easily be misconfigured,
resulting in adverse impact to the security and availability of hundreds or thousands of endpoints. To
make effective use of Group Policy without adverse consequences it is important to get beyond the
basic functionality of Group Policy and leverage several more advanced features:




Security Filtering
Results and Modeling Wizards
Auditing
Import/Backup/Restore Operations
Next we will show how to use these features to ensure Group Policy is configured correctly and that
changes to it are subject to appropriate change controls.
Security Filtering
Group Policy’s flexibility allows administrators to tailor security settings to handle different types of
systems as well as exceptions for special users or other circumstances. One feature in particular of
Group Policy that organizations should make more use of is Security Filtering. Too often organizations
rely exclusively on Organizational Units (OU) to set the scope of group policy application. This is
understandable because it is easy to grasp how linking a GPO to an OU will result in all computers within
that OU receiving group policy.
But OUs control more than just group policy application; primarily, OUs control the delegation of
administrative authority, which is critical to implementing least privilege in AD. In fact, OUs are the only
way to delegate administrative authority, whereas OUs are just one way to scope group policy. Security
Filtering is an alternative way to scope group policy application completely independent of OU
hierarchy.
Security Filtering leverages GPO permissions to limit which users or computers the GPO is applied. By
default, the Authenticated Users special principle is listed under the GPO’s Security Filter. Since all
domain users and computers are automatically part of Authenticated Users, the GPO is applied to all
users and computers in the container (domain or OU) where the GPO is linked. But if an administrator
removes Authenticated Users and adds some other group, the GPO is now applicable only to the
members of that particular group. To apply a GPO to a certain set of users or computers regardless of
which OU they reside in, the administrator can simply link the GPO to the root of the domain and then
replace Authenticated Users in the Security Filtering list of the GPO with the appropriate group.
Thus, Security Filtering is an important feature for allowing OU hierarchy to reflect the division of
delegated administrative authority while preserving the ability to apply specific configuration polices to
appropriate users and groups.
Results and Modeling Wizards
Group Policy is flexible enough to handle almost any configuration scenario. This flexibility is provided
through multiple ways to scope Group Policy, and several methods for adjusting the order of
precedence that arbitrates between conflicting GPOs to arrive at a given computer’s Resultant Set of
Policy (RSOP). The various options that can impact Group Policy application include:








Container to which a GPO is linked
Security filtering
WMI filtering
Disabled GPO links
Disabled Computer Configuration
Disabled User Configuration
Enforced GPOs
No override GPOs
Complexity, though, is the price for such flexibility. It is very easy to misconfigure Group Policy, resulting
in organizations assuming their endpoints are configured securely while in fact they are not, because of
some unaccounted for interaction between the many options that impact group policy application.
Organizations need positive confirmation that group policy is being applied according to expectations.
There are two wizards in the Group Policy Management Console that provide some help in gaining this
confirmation.
The Group Policy Results Wizard allows you to choose one computer and generate a report detailing
exactly which GPOs were applied to that computer and in what order of precedence, having taken into
consideration all factors that influence the RSOP. The good news with the Results Wizard is that it shows
you the actual results in effect. For each setting within Group Policy the Results Wizard identifies the
applied value and the winning GPO that supplied it. But the bad news is that the Results Wizard only
reports this information for one computer. There is no way to aggregate this results data from many
computers into one analysis of your overall endpoint security posture.
On the other hand, the Group Policy Modeling Wizard allows you to select an organizational unit and
simulate the RSOP expected for a typical computer within that OU. The good news is that the Modeling
Wizard allows you to model the configuration anticipated for many computers. But the bad news is that
its data is not guaranteed to be accurate since you must make several assumptions when defining the
report. Some of these assumptions include the groups to which a typical computer belongs so that the
wizard can take security filtering into account as well as WMI filters.
The bottom line is that while the Results and Modeling Wizards, when used together, can give a degree
of assurance about the security posture of an organization’s endpoints, group policy cannot provide
comprehensive, quantitative confirmation. This gap will be explored later in this paper.
Auditing
Because Group Policy changes can have such deep impact to the security configuration of so many
computers in such a short period of time, organizations need to know when Group Policy related
changes occur and who performed them. The Directory Service category of Windows auditing allows
administrators to receive notification of changes to GPOs themselves or Group Policy related settings on
containers (OUs, domains and sites) in the Windows security log of domain controllers.
In addition to enabling the Directory Services Changes audit category on domain controllers,
administrator must edit the audit policy of the root of the domain in AD Users and Computers. Enable
auditing of Write permission on groupPolicyContainer objects to catch changes to GPOs themselves.
Audit the Write Property permission on gpLink and gpOptions attributes of domains, OUs and sites to
catch group policy related changes to container objects. Once these audit policies are in place, Windows
will log event ID 5136 whenever something related to Group Policy is changed.
To also audit the creation and deletion of GPOs, administrators should enable auditing of Create and
Delete permissions on the root of the domain for groupPolicyContainer objects. Windows will log event
IDs 5137 and 5141 to the Security log when GPOs are created or deleted respectively.
Import/Backup/Restore Operations
Another important requirement, given the huge impact group policy have on endpoints, is change
control. By default, the authority to edit GPOs is limited to domain administrators and their delegates;
but in addition to access permissions, organizations need the ability to test and rollback Group Policy
changes. The Group Policy Management
Console allows administrators to backup
and restore GPOs and to import the
settings from a backed-up GPO.
Organizations should implement standard
operating procedures that ensure GPOs are
always backed up prior to modification.
Even with the advanced capabilities, group policy does not
constitute a comprehensive endpoint configuration management
solution.
In addition, proposed changes to GPOs should be tested, in a development OU or domain, and then
moved to the production GPO. One way to move tested settings from a development GPO to a
production GPO is to back up the tested GPO to a file. Then select the targeted production GPO and
import the settings from the test OU. By importing just the settings rather than restoring the entire GPO,
administrators can get the updated settings without overwriting other aspects of the production GPO
such as security filtering, delegated permissions, and WMI filters.
Where Group Policy Stops
Even with the advanced capabilities, Group Policy does not constitute a comprehensive endpoint
configuration management solution. In this section we will discuss the three areas where additional
technology is needed beyond Group Policy to satisfy compliance requirements and to meet today’s
endpoint security needs.
1. Unsupported Security Settings
While Group Policy certainly covers the majority of Window’s security settings, there are some areas of
configuration that go unmanaged. BIOS settings are very important to security since they relate to
secure boot device sequence, hardware passwords, hardware security devices such as biometric devices
and smart card readers as well as hard drive passwords. Because BIOS settings vary so widely by vendor
and model, these settings are not managed by group policy.
Applications also have security related settings that can have great impact on the vulnerability or
resilience of endpoints. For instance, Microsoft Excel spreadsheets can contain a variety of active
content that is enabled by default. In the famous intrusion at RSA, the initial attack could have been
thwarted by disabling flash content in Office applications. This is just one example of the real world
importance of application security configuration. But applications are outside the native scope of Group
Policy and very few application vendors provide Group Policy extensions to manage their applications
settings via Group Policy.
Administrators can potentially leverage the “preferences” feature of Group Policy to manage application
security settings. The Preferences section of a GPO allows administrators to configure application
registry values or modify application configuration files. But it is very important to realize that these
definitions are preferences and not policies. Policies are enforced by Windows and it is very difficult to
override or circumvent them. Preferences, on the other hand, are applied at the time of Group Policy
processing but can be overwritten by end-users or the application itself between applications of Group
Policy.
Configuration Management with Group Policy
2. Managed Execution of Custom Scripts
Besides OS and application security settings
there are frequently operations that need to
be performed to maintain the security of
endpoints. These operations are typically
performed via the command line or through
scripts and cannot be accomplished through
a simple registry tweak or Group Policy
settings.
The only method for executing custom
scripts via Group Policy is via
startup/shutdown scripts and logon/logoff
scripts which, as the terms imply, allow you
to trigger the execution of a provided script when a system starts up, shuts down, or at the time a user
logs on or off.
Unfortunately, system startup and logon events are often outside the control and scheduling of
administrators. Also it may be a comparatively long time before an important script is executed by
Group Policy. There are a number of other downsides to trying to manage the execution of custom
scripts via Group Policy. First, Group Policy attempts to execute the script each time the associated
event (e.g., logon) occurs, but some operations should only be performed once. This means that
additional logic must be coded into the script to prevent repeated execution of the critical operation.
Furthermore, scripts don’t always execute successfully on endpoints because of the inherent uniqueness
of endpoint resulting from that endpoint’s hardware and that particular end-user’s role and habits.
Unfortunately, group policy provides no tracking or reporting functionality to assess the aggregate
success of a script across the large numbers of endpoints at any organization.
3. Reporting and Validation
The matter of tracking and reporting brought up in the previous section extends beyond just the
execution of custom scripts. Group Policy can fail for a many different reasons, such as DNS problems,
permission issues, and domain controller health, just to name a few. Furthermore, individual endpoints
can have health or connectivity issues that prevent a group policy from being applied.
Moreover, Group Policy can be misconfigured and the Modeling and Results Wizards discussed above
fall short of providing comprehensive and quantitative visibility into the status and health of
configuration management across all endpoints. A medium or large organization may have dozens of
GPOs and hundreds or thousands of endpoints, but no way to report on their status or compliance with
mandated security standards.
Without such reporting, Group Policy is very much a fire and hope technology. For compliance, and in
order to lay a solid foundation for additional layers of endpoint security, organizations need an
aggregate view of the security posture of all endpoints.
Configuration Management: Only One Piece of Endpoint Security
While Configuration Management is the foundation of endpoint security, it is still only one piece. There
are so many layers on top of configuration management required to address the very real threats of
endpoint security today. Organizations are faced with providing:








Disk encryption
Data leakage prevention
Patch management
Anti-virus
Application whitelisting
Firewall
Device control
Port control
With all of the threat vectors facing endpoints today and the technologies that must be brought to bear
against them, endpoint security has become a veritable Medusa’s head with each serpent being slain
seeming to produce two its place. This translates to an overload of security agents consuming resources
on endpoints, and a plethora of disconnected security systems for administrators to coordinate and
manage. The traditional piecemeal approach to endpoint security desperately needs a new, more
coordinated, consolidated and comprehensive approach.
Solution: Lumension® Endpoint Management and Security Suite
Confronting the multitude of risks affecting endpoints today while maintaining good performance on
endpoints and efficiently managing the array of required security technologies requires a
comprehensive and consolidated endpoint security solution. It must combine all required technologies
into a single agent and allows administrators to manage them from a single, unified administrative
console.
That requirement is the driving force behind the design of Lumension® Endpoint Management and
Security Suite (L.E.M.S.S.) which combines all critical endpoint security technologies into one endpoint
agent and presents a single, integrated command and control interface to administrators.
Policy
Assessment and
Enforcement
SCAP Validated
FDCC Scanner
Content Wizard
Visibility and
Reporting
Lumension Security Configuration
Management
Group
Policy
Comprehensive Configuration Management
Configuration Management
As shown earlier in this whitepaper, configuration management is the foundation of endpoint security.
While Group Policy provides the first step in configuration management, important gaps remain that
prevent organizations from completing a solid foundation upon which to build the rest of their endpoint
security strategy.
The L.E.M.S.S. Security Configuration Management module works with Group Policy to fill these
remaining gaps by providing independent validation of security configuration against industry standard
baselines. L.E.M.S.S. provides comprehensive validation which does not rely on sampling a small portion
of endpoints or on simulations of policy application that depend on numerous assumptions. L.E.M.S.S.
actively tracks policy enforcement on each endpoint and provides deep visibility into all exceptions and
policy enforcement failures. L.E.M.S.S. fills the gaps of unsupported security settings and endpoint
scripts through a powerful wizard-based facility that simplifies the management of custom configuration
and script execution.
Policy Assessment and Enforcement
Lumension® Security Configuration Management fills the gap between group policy and assurance that
endpoints are actually secure comparing endpoints to selected baseline security standards completely
independent of group policy. Lumension® Security Configuration Management’s advanced policy
assessment and enforcement capabilities provide detail and roll-up visibility into configuration posture.
Organizations can instantly identify endpoints where:


Group Policy has been misconfigured thus producing unexpected configuration results
Group Policy is failing to be applied due to any number of network or AD issues
Using Lumension® Security Configuration Management, organizations maintain constant audit readiness
through the automated collection and centralization of security configuration results.
SCAP Validated FDCC Scanner
Beyond the real-world risks facing endpoints today is the added business driver of compliance with the
growing number desktop security standards like FDCC. Through the Security Configuration Management
module, L.E.M.S.S. enables agencies to comply with FDCC standards by providing a Security Content
Automated Protocol (SCAP) Validated FDCC Scanner that assesses, standardizes and reports against
required configurations.
Lumension® Security Configuration Management ensures that endpoint configurations are compliant
with the standards outlined in the FDCC. Through import of SCAP policy templates, network and agentbased scanning, policy enforcement and enterprise reporting, Lumension® Security Configuration
Management automatically checks the security properties of network devices and effectively maps
security configuration controls to these enterprise endpoints to enforce proper configurations and
report against FDCC requirements to prove compliance.
As a NIST-validated solution, Lumension® Security Configuration Management provides a comprehensive
list of SCAP policies with hundreds of defined checks, allowing organizations to quickly evaluate their
security posture and determine what must be fixed to meet configuration requirements according to:





Microsoft Windows Security Guide Series
NIST Special Publication 800-68
Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG)
National Security Agency (NSA)
Office of Management and Budget (OMB) Federal Desktop Core Configuration (FDCC)
In addition, customized templates ensure that assessments are tailored to the various compliance
policies that fit an organization's specific requirements.
Visibility and Reporting
Organizations that rely on Group Policy alone are in the dark as to the actual status of their army of
endpoints. Lumension® Security Configuration Management exposes the true security posture of
endpoints throughout the enterprise with aggregate views of endpoint baseline compliance, as well as
detailed security configuration exception reports that expose specific configuration exceptions on
individual endpoints that can be automatically remediated.
L.E.M.S.S. features a wide range of predefined, integrated report templates that list and/or depict data
collected during network management. These range from general (endpoints, discovery scan jobs) to
highly detailed (operating systems installed on network endpoint).
Standard reports included in L.E.M.S.S. provide raw data that can be extracted and manipulated to meet
all of your reporting needs. Lumension® Reporting Services (a free add-on that integrates with
L.E.M.S.S.) is a collection of powerful and actionable pre-defined reports providing centralized visibility
of IT assets and the security posture of the L.E.M.S.S. endpoint environment.
Content Wizard
One of the key technical issues unaddressed by Group Policy is how to configure unsupported security
settings and how to manage the execution of custom scripts. Lumension® Content Wizard (LCW) extends
the capabilities of L.E.M.S.S. to cost-effectively streamline desktop and system management tasks with
simple and customizable wizard-based policy creation, distribution and baseline enforcement – without
requiring additional tools and
costs. This powerful utility enables
organizations to extend their
The easy-to-use wizard allows administrators to create custom
Lumension solution capabilities to
remediation packages that perform security operations or patch
dynamically meet the needs of
little known or in-house developed applications.
their diverse IT environments,
without the purchase of additional
technologies. Lumension® Content
Wizard simplifies the setting and enforcement of local security configuration policies, such as: disabling
guest accounts, turning off unnecessary services, enforcing password complexity and length, and forcing
unattended systems to log off. Policies can be based on industry best-practices templates with 24 preconfigured checks or policy elements that can be added and modified based on your specific security
policies.
The easy-to-use wizard allows administrators to create custom remediation packages that perform
security operations or patch little known or in-house developed applications. These packages can
perform custom detection, deployment or configuration operations such as distribution or removal of
files, registry value changes or any other operation through the execution of OS commands and custom
scripts. Lumension® Content Wizard makes it easy to centrally deploy, manage and report on all new and
existing IT scripts. Organizations can automatically monitor and report on scripting actions taking place
throughout the environment and a template based approach to the creation of remediation scripts
which allows novice users to quickly author remediation scripts (VBScript, JavaScript, command line) to
remedy identified system problems.
Endpoints are often laden with unwanted software and outdated, insecure versions of required
software. Lumension® Content Wizard provides policy-based installation of new and updated software
packages. Organizations can quickly identify installed software on endpoints and then automatically
remove outdated or unauthorized software thus ensuring ongoing monitoring and baseline
enforcement.
Lumension® Content Wizard capabilities include:


Local Enforcement of Security Configuration Policies - Enforce security configuration policies
based on industry best-practices, such as disabling guest accounts, turning off unnecessary
services, enforcing password complexity and length, and forcing unattended systems to log off.
Centralized Management of System Desktop Configuration Tasks and Policies - Automate timeconsuming tasks across the entire network, including automated scheduling of disk


defragmentation tasks, and policy enforcement for account, device control, domain, network,
and system policy security settings.
Customizable Policy Creation and Syndication - Customize configuration settings to meet
internal policy controls and extend patching to in-house developed applications. This can be
across several different operating platforms.
Centralized Deployment, Management and Reporting on all Scripts - Centrally deploy, manage,
and report on all scripting actions throughout the organization including making sure antivirus
(AV) is installed and distributing third-party patches.
To help organizations leverage previous investments in configuration management and avoid reinventing the wheel inside and outside the organization, Lumension® Content Wizard allows sharing and
collaboration through:


Content Exchange Forum - Content collaboration is made simple via a company-internal site
access thru the Lumension® Content Wizard, allowing custom created content to be shared
among separate divisions to ensure standardized detections, deployments and reporting.
Lumension Connect Content Garden - Share best practice scripts with other Lumension
customers within the Lumension Community.
Beyond Configuration Management: Comprehensive Endpoint Management
and Security
Lumension® Security Configuration Management is just one piece of the overall Lumension® Endpoint
Management and Security Suite (L.E.M.S.S.). With a single agent and one centralized management
console L.E.M.S.S. delivers integrated and comprehensive endpoint security.
L.E.M.S.S. is developed with a modular, extensible architecture can scale from small to larger,
distributed infrastructures to manage anywhere from a few endpoints to thousands. The single, resilient
agent eliminates agent bloat while providing self-monitoring and recovery capabilities to ensure
continuous protection.
L.E.M.S.S. server/agent communication delivers near real-time policy and events updates – even for
endpoints outside the corporate intranet. Role-based access control (RBAC) enables everyone to access
the information and operations they need without compromising security and AD integration. This
allows organizations to leverage existing users, groups and computers within AD to harmonize the
infrastructure.
Enhanced asset discovery and agent deployment provides comprehensive visibility into both managed
and unmanaged systems and makes it easy to deploy agents to unmanaged systems interactively,
automatically or on a scheduled basis.
Conclusion
The evolution of threats and the
accelerating arms-race between
organizations and attackers has
caused endpoint security to reemerge as a critical security issue.
In fact, for most organizations
today, endpoint security should
be the first priority of information
security efforts.
Configuration
Management
Patch and
Remediation
AntiVirus
Lumension®
Endpoint
Management
and Security
Suite
Disk
Application
Configuration management is the
Control
Encryption
foundation of endpoint security.
Relying on the native
Device
functionality of Group Policy
Control
alone leaves serious gaps in an
organization’s ability to comply
with desktop security standards
and to keep endpoints secure and up-to-date against an ever-changing threat landscape. Lumension®
Security Configuration Management works with Group Policy to fill the gaps and provide a solid and
comprehensive solution upon which to build the rest of the organization’s endpoint security approach.
But configuration management is just the first layer of endpoint security. Multiple additional
technologies must be deployed to address the wide-ranging threats affecting endpoints in particular.
There are too many such technologies to use a piecemeal approach that combines numerous point
solutions. Lumension® Endpoint Management and Security Suite combines all of these technologies into
a single, integrated solution that provides comprehensive endpoint security while maintaining an
productive end-user experience and preserving efficiency within IT.
About Randy Franklin Smith
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and
Active Directory security who specializes in Windows and Active Directory security. Randy publishes
www.UltimateWindowsSecurity.com and wrote The Windows Server 2008 Security Log Revealed – the
only book devoted to the Windows security log. Randy is the creator of LOGbinder software which
makes cryptic application logs understandable and available to log management and SIEM solutions. As
a Certified Information Systems Auditor, Randy performs security reviews for clients ranging from small,
privately held firms to Fortune 500 companies, national, and international organizations. Randy is also a
Microsoft Security Most Valuable Professional.
About Lumension
Lumension Security, Inc., a global leader in operational endpoint security, develops, integrates and
markets security software solutions that help businesses protect their vital information and manage
critical risk across network and endpoint assets.
Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by
delivering a proven and award-winning solution portfolio that includes Vulnerability Management,
Endpoint Protection, Data Protection, Antivirus, and Reporting and Compliance offerings. Lumension is
known for providing world-class customer support and services 24x7, 365 days a year.
Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Texas, Florida,
Washington D.C., Ireland, Luxembourg, Singapore, the United Kingdom, and Australia. Lumension: IT
Secured. Success Optimized.™ More information can be found at www.lumension.com.
Disclaimer
Monterey Technology Group, Inc., Lumension Security, Inc., and other contributors make no claim that
use of this whitepaper will assure a successful outcome. Readers use all information within this
document at their own risk.