• KACE Blog

    Technology Tunnel Vision: Why Endpoint Management Without Network Security Is Putting Your Organization at Risk

     You know what’s about to happen in the photo? You see how the defender on the right is ready to block a pass? The player on the left is going to hesitate for a fraction of a second, pass the ball between the defender’s legs, dash around the defender and keep right on dribbling, leaving the defender a day late and a dollar short.

    Image credit: Nick Hubbard | Licensed under: CC BY 2.0

    We call that “tunnel vision” – focusing too closely on one area and failing to see the broader picture. 

    Endpoint Management and Tunnel Vision

    You can focus so intently on endpoint management that you take your eye off the ball of network security. That puts your organization at risk of somebody sneaking the ball past you and driving straight for the hoop before you know what’s hit you.

    Of course, it doesn’t seem like tunnel vision to you, because you’re constantly on the lookout for ways to tighten network security. But every new technology wave brings more endpoints to secure and more moving parts: tablets, smartphones, bring your own device (BYOD), internet of things (IoT) and wearables, to name a few.

    The struggle is for IT to manage that variety of endpoints without getting stuck in silos and losing sight of network security that spans the entire organization. You’re trying to do this even as the data center is becoming less centralized and assets are ending up in hosted, cloud and mobile repositories.

    Meanwhile, users want to be connected anytime and anywhere on an increasingly diverse set of devices. Their expectations for convenience and privacy are rising, and they are willing to engage in shadow IT to meet those expectations.

    New E-book: Technology Tunnel Vision

    IT resources are sagging, operating expenses are skyrocketing and security breaches are increasing in frequency and severity. Organizations are putting their reputations and their bottom lines at risk, despite their stepped-up efforts to increase security. The way to eliminate tunnel vision is to replace the traditional silo-approach to systems management with a holistic view of network infrastructure and a fully integrated solution that offers centralized management and network security.

    We’ve released a new e-book, Technology Tunnel Vision: Part 1, that explains why the holistic approach is imperative today. Read it for a closer look at the impact of tunnel vision on IT, on security and on your ability to keep your adversaries from dribbling around you and leaving you flat-footed.

    David Manks

    About David Manks

    David Manks is a Solutions Marketing Director for Dell Software focusing on endpoint management and security products.

    View all posts by David Manks  | Twitter

  • KACE Blog

    How to Save the Equivalent of One Full-Time Employee Salary with IT Systems Management

    The fundamentals of systems management have changed, so you’re faced with managing and securing a growing number of devices, a variety of operating systems and multiple types of users, in addition to your traditional systems management tasks. Despite this acceleration in the scope, complexity and speed of change in your environment, your IT budget most likely remains flat or gets reduced, requiring you to do more with less.

    Doing More with Less

    So, when one organization is able to eliminate IT overtime costs and save one full-time salary annually by automating its anypoint systems management tasks, I like to share the story with other IT pros. First, let me tell you about some of the organization’s systems management challenges. They’re probably similar to the challenges you face every day. While this organization happens to be an educational institution, endpoint management issues are the same whether your organization teaches students, saves lives or manufactures widgets.

    Westphal College of Media Arts and Design at Drexel University has an IT staff of five, a director and four technicians, who are responsible for managing 800 PC, Mac and Linux desktops, including performing manual upgrades. The technicians scrambled from machine to machine, sometimes remotely, to install updates to the operating system, browsers, plug-ins and software applications during the one-week break between academic quarters.

    No matter how quickly they worked, they were unable to deliver consistent systems management, maintenance and updates across their IT environment. For example, they had no way of ensuring that all machines were running the same version of applications, nor could they easily determine which computers were out of sync with the others.

    Challenges Ahead

    The team’s approach to remote systems management was to obtain or build installers containing the updates, and then use a variety of tools like PsExec, Active Directory and Apple Remote Desktop to deploy them across the network. Using this approach, it was impossible to report on whether the updates had been successful and on which machines.

    Needless to say, this manual approach to systems management took a toll on the team’s overtime budget, with the OT payroll inflating to 100 hours during the week between quarters. And, while the technicians were focused on deploying upgrades and patches, they didn’t have time to support the users’ other needs or address new IT initiatives.

    The Solution Became Clear

    Prompted by these inefficiencies in timing and consistency, as well as a university-wide security initiative to encrypt all computers, the director tasked his team with finding a way to replace its manual processes with an all-inclusive automated solution to anypoint systems management. After listening to their needs, a reseller recommended the Dell KACE K1000 Systems Management Appliance. The team looked at other tools, but after a brief trial, the organization purchased the K1000.

    They immediately saw that the KACE appliance addressed their biggest pain point with the software distribution, managed installations and patch management required to keep the desktops up to date and secure. The greatest time savings came with the ability to reuse their work once they loaded a patch or managed installation into the K1000. 

    They then began expanding their use of the KACE appliance. After several months of success managing installations and scripting remotely, they took a broader view and began consolidating their information systems. Using the K1000’s integrated service desk functionality, they realized flexibility they never had before as they could now create triggers, custom ticket roles and direct connections into inventory that showed all requests associated with each machine. Next, they built custom assets and email alerts in KACE to help them track loaned equipment, so they wouldn’t miss due dates.

    Cost Savings for Drexel University

    The K1000 Systems Management Appliance was quickly paying for itself. The organization eliminated overtime during break week – from 100 extra hours to finishing a day and a half early with the K1000. According to the IT director’s FTE calculation, the cost savings to his department is equivalent to the annual salary of one full-time IT pro. His department also benefits from compliance with the university’s security initiative. The KACE appliance provides automated patching as well as the reporting tools needed to show that the encryption agent is present on all 800 computers and to assist in documenting that the IT group is in full compliance.

    With the K1000, the IT staff can also offer a shorter turnaround time on break fixes. Once IT has identified the problem and verified the fix, IT can deploy it centrally in hours instead of days and make the computer available to users much more quickly than before. The IT director is also seeing the strategic benefit of the KACE appliance as it affords him a comprehensive overview of all 800 desktops.

    As this organization discovered, manual or individual point solutions no longer suffice in today’s IT environments. IT professionals must now view anypoint management as an imperative that cannot be ignored and one that needs to be addressed with an all-inclusive solution.

    Watch the Full Story

    I love to share KACE success stories, but I know you’d rather hear directly from your peers. So I’ve included a link to a 4-minute video featuring Jason Rappaport, director of IT, Antoinette Westphal College of Media Arts and Design, Drexel University, along with some members of his IT team. In the video, they detail how they were able to create a central view of their multi-platform environment, implement reporting on 800 desktops to comply with the organization’s security initiative, and speed application deployment with Dell KACE appliances.

    About Stephen Hatch

    Stephen is a Senior Product Marketing Manager for Dell KACE. He has over eight years of experience with KACE and over 20 years of marketing communications experience.

    View all posts by Stephen Hatch

  • Dell TechCenter

    Halloween Fun with the Dell Software Team

    From parties to haunted houses, trick-or-treating to giving out candy to the neighborhood kids, it’s personally always been a favorite holiday of my wife and I. We even set the date we would exchange our vows so that we would be on our honeymoon in New Orleans during Halloween. And let me tell you, if you are a fan of the holiday, I highly recommend being there for the event. 

    Halloween Fun at Dell Software

    The Dell Software team enjoys Halloween as well. As you can see, many of our families go all out on this entertaining holiday.


    Cynthia was the famous pop art piece by Roy Lichtenstein and had a great Nightmare Before Christmas pumpkin. 


    Madison hung out with friends she's known since high school at a Halloween house party. She's the  one in the center dressed as a witch in black.


    Jeanie and her husband Jeff and had a blast at her neighbors annual Halloween Dance Off party. Jeanie's daughter was a baby cheetah, and she was Momma Cheetah.


    Gio's dog has great Halloween spirit (and Gio has great photo editing skills!)


    Chris spent Halloween day coaching his daughter and other special-needs baseball players from  District 62 Little League at Angel Stadium. The Challenger Baseball Classic is an annual event  where special needs baseball teams from southern California get to play a game on the field at Angel Stadium. (amazing way to spend your time!)


    Emily went to a local Halloween maze and I think her face says it all. She had a good time.


    Amber's daughters went as Queen of Hearts and Sweety Kitty. She calls this photo “The girls just wanna have fun!”


    Ryan had a fantastic Harry Potter Party with his friends, complete with Sorting Hat and their very own Quidditch Cup!


    My son and I dressed up as hackers, while my wife, quite a fan of the horror genre, went as a character from You're Next.

    Halloween Content from Dell Software
    To top this off, the Halloween fun doesn't stop with our customs and parties, it also crept into a number of content offerings published around the season. 

    Switching Analytics Platforms – A Process Nightmare?

    The Windows group had:

    And Foglight had a great video with 2015 Foglight Dashboard refresher:

    We would love to hear about your Halloween adventures. Did you enjoy trick-or-treating, parties, or handing out treats to the neighborhood? Leave me a comment. 

    Kris Freedain

    About Kris Freedain

    After spending 15 years in the Support and Support Operations organizations, he moved to a Marketing Role, and is now responsible for the corporate channel messaging for Dell Software.

    View all posts by Kris Freedain | Twitter

  • KACE Blog

    How a Pumpkin Patch Led Me to a Wonderful Life

    Recently, I was roped into going to a “pumpkin patch” with my wife and 10 month old son. I was not enthusiastic given the temperature on that Texas day, but on the hour drive to the rural location, this seasonal outing started me thinking about the impending holidays. Specifically, that every time I change the channel I’m likely to soon be landing on “It’s a Wonderful Life.” 

    Image credit: Insomnia Cured Here | Licensed under: CC BY 2.0

    I’ve never seen it.

    Before you round up a posse, and have me lynched as un-American – I know what it’s about. It’s such a part of popular culture, that it’s impossible not to have a basic grasp of the plot.

    Life without George

    But as I was sweating and dreading the drive to rural Texas, what came to mind was Jimmy Stewart, and his character, George – and what his town would have been like without him.

    Which got me wondering about what Information Technology would be like without Dell KACE systems management appliances, the product line I market at Dell. Yes, I am crazy to be thinking about work on a family weekend excursion, but I do love my job, and have a cadre of passionate customers to motivate me even after hours.

    A Different World

    Anyway, it occurred to me that without Dell KACE, there would be many, many organizations of all types who would be unsure of what devices are connecting to their networks. There would be a lot of unpatched software. And as IT professionals know, unpatched is unprotected. As a result, there could be significantly more cybercrime, and even the rise of a super villain, who controls a cybercrime syndicate, holding all of Information Technology hostage. 

    We can’t get money from ATMs. We don’t have access to healthcare. Or world news. Or electricity. We can’t send an e-mail to our moms on their birthdays. Or get gas, or drive our cars, or make reservations. The world would indeed be different.

    Back to Reality

    And suddenly, I was glad to go to the pumpkin patch, because it meant I could do all of those things with the help of the thousands of KACE appliances securing millions of endpoints globally.

    I’m not saying that Dell KACE is preventing the fall of civilization. But I am saying, as with George, the world is a better place as a result of our anypoint systems management solution!

    Sean Musil

    About Sean Musil

    Sean Musil is a Product Marketing Manager for Dell KACE. He believes the internet should be free and secure.

    View all posts by Sean Musil  | Twitter

  • KACE Blog

    Frightened by Growing IT Security Threats? Learn 6 Steps to Scare Away Your IT Security Nightmares

    Image credit: Kristy Hom | Licensed under: CC BY 2.0

    Protecting your IT environment today is extremely complex and can be a very scary task. You’re haunted by increased security threats, malicious attacks, BYOD, the Internet of Things (IoT) and new network-connected devices that you don’t even know about.

    Endless Devices 

    Consider the number of operating systems you are now slated to secure, the number of BYO devices that are a normal part of your organization’s operation in the form of smartphones, tablets and even network connected devices such as printers, scanners and kiosks. The freedom offered by mobile devices and the BYOD trend opens your organization to a myriad of security risks. Your users want mobility and the flexibility it provides, but you have to balance it against your organization’s need for security and control. Meanwhile, security threats continue to grow in both number and sophistication. If you’re the person in charge of ensuring your IT network and systems are buttoned up from malicious intruders and a growing world of creatively uncovered and exploited vulnerabilities, your job could literally be on the line with a single network security breach.

    Internet of Things

    It’s also clear that the IoT is here to stay and will grow exponentially as more smart devices enter both our personal and business lives. New systems and applications are easier than ever to set up and maintain, which often results in users setting these up on their own – leaving you with applications and systems you can’t protect. Unfortunately, many users are unaccustomed to thinking about issues like security and backups, or they are simply willing to sacrifice security for expediency.

    Despite these security threats, protecting your IT environment doesn’t have to be a scary undertaking if you follow these readily available security safeguards:

    • Discovery and inventory – Ensure that you are have an accurate inventory of all connected devices.
    • Patching – Make sure that you are patching your operating systems and applications regularly. This can be the starting point for eliminating vulnerabilities using the latest versions of software available.
    • Antivirus software – Once considered the only line of defense, it’s imperative that this is in place, current and enforced on all of your managed endpoint systems.
    • Firewalls – No longer just for larger organizations, next gen firewalls offer new technologies for providing added protection and peace of mind, and they can be both affordable and easy to manage.
    • Proactive threat detection – Scans such as OVAL and SCAP can put you ahead of the curve in finding and remediating security holes in your IT endpoints.
    • Data encryption – Security from the data level to the cloud is today’s mantra, so make sure you start with endpoint data encryption for a solid defense for lost or stolen devices.

    In addition to the steps outlined here, we invite you to watch an on-demand webcast, Protecting Your Network and Endpoints with the SANS 20 Critical Security Controls, addressing the challenges of protecting your IT environment. In this webcast, presented by internationally recognized security expert Robert Franklin Smith, you’ll be introduced to a practical and straightforward framework that provides 20 actionable security controls with specific recommendations on how to implement them at a technical level.  The webcast will briefly introduce you to the entire list, but will focus on seven controls that relate specifically to endpoint security.

    Watch the Security Webcast

    David Manks

    About David Manks

    David Manks is a Solutions Marketing Director for Dell Software focusing on endpoint management and security products.

    View all posts by David Manks  | Twitter

  • KACE Blog

    Under the Hood with Windows 10 Security, Part 3 [On-demand Webinar]

    Once you’re acquainted with the landscape and terminology of Windows 10 security, you can turn your attention to Windows 10 migration: moving your servers and endpoints from Windows XP, 7 and 8.

    So far in this series about our webinar Under the Hood with Windows 10 Security, I’ve covered the security aspects of Windows 10 in the enterprise: malware prevention, authentication and data protection. In this post I’ll cover the migration process itself.

    Windows 10 migration – Things to consider (54:05 into the on-demand webinar)

    • Hardware compatibility – As I mentioned in my post on Device Guard and Secure Boot, much of Windows 10 security depends on new hardware standards and components like UEFI and TPM. The more security you want, the more of that hardware support you need in the next round of devices you procure.
    • Driver updates – Hardening the kernel against attacks means a new approach to device drivers, which also work at the kernel level and are a well-known attack vector.
    • New update model – Patch Tuesday is giving way to a continuous update process for all Windows 10 devices, including phones.
    • File distribution – If you’re using Code Integrity, you’ll need a good way to drop code policies and catalogs onto all endpoints.
    • Upgrades – Microsoft has done a lot of work to make the in-place upgrade from Windows 7 and 8 go smoothly. It’s meant to be vastly preferable to the traditional wipe-and-load to which sysadmins are accustomed.
    • New runtime configuration tools – These are designed to easily transform devices from their off-the-shelf state into fully configured business devices, without reimaging.

    4 Phases to Any Migration (1:01:30)

    We think about the migration process in four different phases:

    Phase I: Inventory / Content Rationalization

    Which components of your hardware will support the migration while meeting the standards of your users?

    To find out, you’ll inventory all applications, hardware, users and groups in your organization. You’ll also verify the compatibility of applications and hardware with Windows 10. Next, rationalize your content and prepare yourself to migrate applications based on usage and necessity. Your goal is to migrate only what is needed, based on usage and future support. That includes valid data stored on users’ endpoints.

    Phase II: Application Categorization / Remediation

    Knowing what you’re going to need, will it all work in the new environment?

    The only way to be sure is to test, remediate and repackage your applications, which can take most of the calendar time of your migration project. Many applications will need fixes for compatibility, but fixes now can pay off through a more stable environment down the road.

    Phase III: OS Deployment / User State Migration

    Can you migrate and keep all your applications happy with a single image? Or do you need more than one?

    In this phase you perform the actual migration of user systems and user content. The time it takes you to back up user data, deploy the new system, install updates and copy user data back on determines the amount of lost productivity per system. Doing this manually adds up fast.

    Phase IV: Ongoing Management / User Support

    How do you know you can care for and feed all your systems in the future?

    After migration, you still need to keep systems up to date, secure and tracked. Some industry standards and mandates call for keeping software current with the latest patches and fixes. If you fail an audit, it can lead to fines, suspended certification and unwelcome publicity.

    Under the Hood with Windows 10 Security – On-demand Webinar

    This series of blog posts has covered the main points in Randy Franklin Smith’s webinar, Under the Hood with Windows 10 Security, for which more than 2,300 sysadmins, IT managers and network administrators registered. You can listen to individual topics (I’ve included the time stamps) or take in the entire on-demand recording, including Q&A from the audience.

    Christopher Garcia

    About Christopher Garcia

    A ten-year Dell veteran, Chris has had experience in various marketing roles within the organization. He is currently a Senior Product Marketing Manager.

    View all posts by Christopher Garcia 

  • KACE Blog

    Under the Hood with Windows 10 Security, Part 2 [On-demand Webinar]

    Windows 10 includes new enterprise security features for authentication and data protection. I’ll cover them in this post, the second in our series on our webinar Under the Hood with Windows 10 Security, for which more than 2,300 sysadmins, IT managers and network administrators registered.

    Authentication and Windows Hello (41:25 into the On-demand Webinar)

    My last post covered malware prevention in Windows 10, and I’ll continue the theme of Windows 10 endpoint security in the area of authentication. The model here is authentication first between your and your device, then between the combination of you and your device to applications and websites.

    The big news here for the enterprise is Windows Hello. Instead of relying on passwords, Hello is designed to authenticate the user to the device using biometrics. Facial recognition is implemented around an infrared camera that cannot be spoofed as easily as an ordinary webcam; that removes the danger of an impostor simply holding your photo up to the camera at logon. Other options include iris and fingerprint recognition, and a device-specific PIN that is easier to remember than a password and more secure.

    Hello authenticates quickly and stores biometric data on the device, not in the cloud. That means everything needed for authentication remains strictly on the device.

    Windows Passport (44:50)

    First your device authenticates you with Hello, then you and your device use Windows Passport to authenticate to the network and services like your Microsoft account, Azure Active Directory, on-premises AD and apps and sites that comply with Fast IDentity Online. The FIDO Alliance promotes an industry-standard effort for improving online authentication, and Passport supports FIDO.

    The result is a different kind of two-factor authentication. You’re authenticated to your device with Hello, and Passport uses a private key stored on your device to authenticate you to the online service. The servers you access ensure that you authenticate with the Trusted Platform Module chip, which proves that the TPM library generated the private key and that the key is stored on the device and has never left it.

    Credentials are based on a certificate or an asymmetrical key pair, and each account key is stored in a separate, secure container. The big difference is that, in case the online service is breached, your passwords and PINs are not exposed. The only exposure is to your public key.

    I think this new, “password-less” model of authentication shows a lot of promise. There’s no password to steal from servers, AD or websites, and the combination of Hello and Passport protects against Pass-the-Hash and Pass-the-Token attacks. It’s security for the enterprise with minimal inconvenience for users. What’s not to like?

    Enterprise Data Protection (50:20)

    With Enterprise Data Protection (EDP), Microsoft addresses the problem of maintaining the privacy of your enterprise data by filling the gap between encrypted hard drives and rights management-protected documents. It’s not exactly Rights Management Services, although RMS can enhance EDP.

    EDP separates and protects enterprise apps and data against disclosure across both company-owned and personal devices. It doesn’t require Code Integrity or changes in your environment or apps.

    EDP tries to reconcile ease of access to files with severe data protection policies. It also addresses the reality that you cannot lock down employee-owned devices in your efforts to prevent the accidental release of enterprise data. It allows remote wipe and requires MDM, such as Microsoft Intune or SCCM.

    For example, suppose you’re trying to keep employees from copying text from an enterprise document into a non-enterprise document.

    You have four levels of protection with EDP:

    • Block – EDP looks for inappropriate data sharing and stops the employee from completing the action.
    • Override – EDP looks for inappropriate data sharing, alerts the employee that it’s inappropriate and gives the employee the option of overriding the policy and copying/sharing the data anyway. EDP logs the action.
    • Audit – EDP runs silently, logging inappropriate data sharing, without blocking anything.
    • Off – EDP isn't active and doesn't protect your data. Probably a bad idea.

    EDP adds up to what I call “Pretty Good Data Protection.” It does a good job straddling some rather tall fences between security and productivity. To make it easy to raise awareness among users, protected files show up in green in the Windows Explorer.

    Under the Hood with Windows 10 Security – On-demand Webinar

    My next and final post in this series will cover migration to Windows 10.

    Meanwhile, listen to Randy Franklin Smith’s webinar, Under the Hood with Windows 10 Security. I’ve included the time stamps so you can fast-forward to the topics of most interest to you.

    Christopher Garcia

    About Christopher Garcia

    A ten-year Dell veteran, Chris has had experience in various marketing roles within the organization. He is currently a Senior Product Marketing Manager.

    View all posts by Christopher Garcia 

  • Dell TechCenter

    Federal Cybersecurity Sprint: Patch for the Known, Prepare for the Unknown

    Federal CIO Tony Scott’s 30-day Cybersecurity Sprint in July called on government agencies to make substantive progress in four specific areas. Last week I discussed the first directive: federal agencies must immediately deploy indicators provided by DHS regarding priority threat-actor techniques, tactics, and procedures to scan systems and check logs. Let's now discuss the second.

    The Second Cybersecurity Directive

     “Patch critical vulnerabilities without delay. The vast majority of cyber intrusions exploit well known vulnerabilities that are easy to identify and correct.  Agencies must take immediate action on the DHS Vulnerability Scan Reports they receive each week and report to OMB and DHS on progress and challenges within 30 days.”

    How did this one go?

    DHS Secretary Jeh Johnson has said that agencies patched or remediated about 60 percent of their critical vulnerabilities during the Sprint. And at the Nextgov Prime conference on government cybersecurity in Washington on September 9, CIO Scott said, “The good news is I think we are making progress. The bad news is, incidents that do occur, mostly occur because we failed even the most basic preventative measures.”

    So there’s still much work to be done. The Sprint was just one segment of a marathon effort which doesn’t necessarily have a finish line.

    Dell Software is here to help agencies continue their press forward. October is National Cybersecurity Month, and we’re presenting a four-part knowledge series of half-hour webcasts on the Sprint directives. The second on-demand webcast, on patching critical vulnerabilities is available and features Robert Osborne, Dell Software Senior Enterprise Technologist. We’ll review Dell Software solutions for scanning and patching, including KACE systems management appliances and network security solutions from Dell SonicWALL.

    The complete knowledge series includes:

    • Deploy DHS threat indicators to scan systems and logs
    • Patch critical vulnerabilities without delay. 
    • Tighten policies and practices for privileged users. 
    • Dramatically accelerate implementation of multi-factor authentication, especially for privileged users.

    Please join us for the second knowledge series webcast.

    Jeffrey Honeyman

    About Jeffrey Honeyman

    Jeff Honeyman manages messaging and content for government and education for Dell Software. He is also a saxophone and clarinet player and science fiction reader.

    View all posts by Jeffrey Honeyman | Twitter

  • KACE Blog

    Under the Hood with Windows 10 Security, Part 1 [On-Demand Webcast]

     New Windows 10 features are getting ink in the tech press, but it’s Windows 10 security that’s top of mind for most system administrators.

    When we conducted a webcast called Under the Hood with Windows 10 Security, more than 2,300 sysadmins, IT managers and network administrators registered. We saw we had a live one, so we decided to distill the highlights of the webcast into this series of three blog posts on the main enhancements to Windows 10 security, focusing on what’s new for the enterprise.

    In this first post, I’ll describe Windows 10 enhancements for endpoint security – preventing your desktops and servers from being infected by malware.

    It’s a good sign that Microsoft is taking aim at malware because the endpoints are where the bad guys are winning the most. Windows 10 fights back through new hardware components and drivers because that’s what it takes to keep malicious code from running on your endpoints.

    Untrusted font blocking (6:10 into the on-demand webcast)

    Fonts are known as “complex data structures,” which translates to “big, juicy targets just waiting to be exploited.” Fonts are notorious for buffer overflows that allow privileges to be elevated and arbitrary code to run.

    The biggest danger is that fonts can be embedded in documents and sent all over the place. That is an ideal way for bad guys to deliver malware to an endpoint, then get the endpoint to run it.

    Untrusted font blocking, an option under Group Policy, is a new Windows 10 security feature. If you activate it, and if the dubious font is not already installed on the device, then Windows won’t use it. It helps limit damage from anything that uses fonts like email, Web content and document files.

    Device Guard (7:40)

    Device Guard is more than any single feature. It’s a comprehensive way to lock down the code that executes in the kernel. The more you’ve standardized on specific configurations of hardware and drivers in your company, the more you can take advantage of Device Guard, which is oriented toward enterprise devices and Windows versions rather than toward consumer and BYOD. Device Guard runs much deeper inside the OS than AppLocker does.

    Secure Boot is a part of Device Guard that depends on UEFI, the new replacement for BIOS in hardware, which checks firmware and your boot files.

    Windows 10 features a highly controlled boot process, integrated with the Trusted Platform Module (TPM) chip on the motherboard (if present). Before turning control over to boot loader, Windows hands boot files to TPM, which validates them to ensure that your system has not been compromised. After verification, Secure Boot allows the OS to boot.

    That defends against rootkits and makes sure that Windows starts from trusted, un-tampered code. Secure Boot was supported in Windows 8 and Windows Server 2012; the biggest changes for Windows 10 are the new requirements for hardware manufacturers, like UEFI and TPM.

    Code Integrity (17:50)

    Code Integrity is part hardware, part software. In mobile terms, you can say that it makes Windows more like an un-jailbroken iOS system or an unrooted Android system, but with more freedom and control from the enterprise point of view.

    Whereas AppLocker starts late in the boot process and runs in user mode, Code Integrity takes control as soon as the OS begins to boot and runs in kernel mode deep within the OS. You can customize the Code Integrity Policy for every OS and specify only the code that has been signed by someone you trust. Not even a local administrator can override it.

    Code Integrity looks at the way every executable on your device has been signed and compares it to a golden system. For unsigned programs like line-of-business apps you’ve built, there is a Package Inspector. Code Integrity is a big step toward endpoint security for point-of-sale systems because you can implement it in kernel mode if administrators have control over the hardware, or user mode if they control only the installed apps. Even if you don’t have complete control, you can still use Code Integrity’s audit mode.

    Virtualization-based security (29:30)

    Virtualization-based security (VBS) enlists Hyper-V to protect sensitive parts of Windows even on endpoints. It inserts a hypervisor between the metal and the Windows 10 kernel, then moves local security authority (LSA) and kernel mode code integrity (KMCI) to quasi-virtual machines, or the secure world.

    Before virtualization-based security, both LSA and KMCI ran in kernel mode. Normally, that’s a safe place to run, but device drivers run there too, and they come from all over and are not always secure. Once they’re in the secure world, LSA and KMCI are inaccessible to everything else including the kernel, the apps and any kernel mode malware.

    To prevent code injection exploits, KMCI keeps memory pages in the kernel from being maliciously changed to execute mode. That means that even if an attack manages to inject malware to the kernel, KMCI will prevent it from running.

    Malware (36:10)

    With Windows 10, Microsoft has acted to slow down attacks. Consider that the OS now has three different, overlapping technologies to let you control application usage:

    • Software Restriction Policies go back a long way in Windows.
    • AppLocker saw its debut in Windows Server 2008 R2 and Windows 7 as a way to help administrators control how users access executable files. Windows 10 enhances AppLocker with service white-listing, mobile device management and Windows Management Interface (WMI).
    • Code Integrity now ties application control to both software and hardware.

    If you’re really serious about taking advantage of Device Guard and the full spectrum of malware-defeating technologies built into Windows 10, you’ll discover that the hardware you buy really matters. You’ll want TPM and UEFI built into your endpoints.

    Under the Hood with Windows 10 Security – On-demand webcast

    Take a few minutes to listen to Randy Franklin Smith’s webcast, Under the Hood with Windows 10 Security. I’ve included the time stamps so you can fast-forward to the topics of most interest to you.

    My next post will cover what’s new in authentication and data protection in Windows 10, so subscribe to this blog to be sure you don’t miss it.

    Christopher Garcia

    About Christopher Garcia

    A ten-year Dell veteran, Chris has had experience in various marketing roles within the organization. He is currently a Senior Product Marketing Manager.

    View all posts by Christopher Garcia 

  • KACE Blog

    Building a Secure Mobile Enterprise at Pepperdine University

    As I’ve explained in my previous blog posts, mobile devices have quickly evolved into critical enterprise tools that open the doors to better productivity, innovation and competitive advantage. At the same time, they have increased IT complexity and raised critical security and privacy concerns. I’ve offered several recommendations for ensuring security with both personally owned and corporate-owned devices. But what strategies actually work in the real-world? For example, what do educational institutions actually find most effective?

    To find out, I’ve asked Kim Cary, CISO of Pepperdine University, to discuss the challenges of enabling mobility while maintaining security. Here’s our Q&A:

    Q. Tell us a little bit about endpoint security from your perspective as CISO at Pepperdine.

    A university needs a different network than the typical business. For one thing, we don’t own all the endpoints on our network — students, conference guests, invited speakers and contracted services all use systems we don’t own. Further, for those endpoints we do own, it isn’t appropriate to use a simple “only what the company installs on it” strategy for security, particularly with faculty. So our endpoint strategy in security is much more of an “innocent until proven guilty” approach.

    The way this plays out is that we use role-based access. For devices we don’t own, we limit access to well-maintained and monitored services. For devices we do own, we make sure that they are patched and their assigned users have good security training available.

    Q. Why is endpoint security so important in terms of your overall security strategy?

    As one of our vendors puts it, “Your network is only as secure as the devices that are connected.” This means that at the end of the day, after all the firewalls, IDS/IPS, security education and anti-virus have done their work, if someone’s workstation is weak, it can still become a cybercriminal HQ on your network. The resulting data breach would not be good for the students, community or university.

    Q. What does Pepperdine do to manage and secure endpoints?

    We use a NAC to provide role-based access. We evangelize security training and software patching aids for systems we don’t own. For systems we do own, we automate patching of the statistically most exploited software: the operating system, the productivity suite, and the web helper apps — Java, Adobe Flash Player, Adobe Acrobat Reader and the like.

    Q. What endpoint security solutions do you use and find most valuable?

    For systems we own, what is determined to be security baseline must be mandatory. We have found that automation is required, since every other form of maintenance — including posture checking, user education, technicians with flash drives, and even concierge service for executives and high-profile faculty — has been shown to fail to provide a baseline of security.

    We’re using Dell KACE to automate third-party patching and security configuration for systems we own. We’ve also found it useful for tracking down and helping eradicate zero day infections that have gotten past our anti-virus. Beyond security, the KACE solution lets us provision systems campus-wide. When finance went paperless and we needed Acrobat on every workstation, KACE installed the licensed software in days. When we needed to retire XP before April 2014, KACE gave us an inventory of the 400+ systems to target, and enabled us to upgrade those systems to Windows 7 overnight, instead of having to pull them in to the workbench and interrupt our colleagues’ work.

    Our NAC is critical system for providing role-based access and for informing people of what to do when their BYOD system is blocked for signs of infection or copyright infringement. Being able to both isolate and inform in one operation has saved tons of help desk calls and more importantly, tons of student frustration.

    Q. What advice would you give other IT security executives and managers about managing and securing endpoints?

    Don’t accept that security is not possible if a traditional method of control is not available. Take ownership and find another path; be proactive in innovation; publish measures of your success. Invest in automation of the baseline tasks — your users and even technicians were not hired to spend time on these basics. Automation enables these colleagues to focus on things more important to the business than patching and configuration, such as making the most of their technology tools and designing new solutions for business problems.

    Learn more about building a secure mobile enterprise

    As Pepperdine University illustrates, enabling mobility while ensuring security is a worthy and attainable goal for any organization. I’d like to thank Kim Cary for sharing his insights and advice, and I hope you’ve found them helpful as well.

    To learn more about achieving a secure mobile enterprise, read our whitepaper, “The Secure Mobile Enterprise.”

    Christopher Garcia

    About Christopher Garcia

    A ten-year Dell veteran, Chris has had experience in various marketing roles within the organization. He is currently a Senior Product Marketing Manager.

    View all posts by Christopher Garcia 

    Kim Cary

    About Kim Cary | Chief Information Security Officer at Pepperdine University

    Kim's current work is focused on security training, business process consulting, security policy, mission-friendly security system implementation, security event analysis, incident handling and system operations.

    Kim completed his Ed.D. at Pepperdine in 2004 and holds current major security certifications from ISC2 as CISSP and from GIAC as Firewall, Intrusion and Forensics Analyst and Incident Handler. He received his M.Div. at Biola in 1986, and his bachelor's degree in biology at the University of California, Los Angeles in 1979.