Desktop security is one of the high priority domains to most organizations for maintaining stability and productivity. Managing your desktops effectively with zero downtime and with crystal clear desktop security can be little challenging, because patches and updates for different software across the market is not always stable.
Considering the NVD data for vulnerability in 2014 there were 19 vulnerabilities reported per day, at first when you look at this number there is nothing alarming, but when we extra polite this number to a week it will be 133 vulnerabilities per week and 570 for a month. And if we populate this further for a year, it will be around 7000. Desktop security has to be prioritized to avoid these vulnerabilities one step at a time.
Now let’s consider an enterprise has around 1000 computers, so totally there would have been 70,000 vulnerabilities in the year 2014 for this enterprise. Then moving forward to 2015 there were 25 vulnerabilities per day, an increase of 30% compared to 2014, 6435 security vulnerabilities in 2016 and around 2500 vulnerabilities so far in 2017. Proper management and update of these vulnerabilities will help the enterprises in Desktop Security.
System administrator goes for war against vulnerabilities
Let me tell you a story that will explain things in a better way, hope you guys are familiar with David and Goliath story. Consider David as your system administrator and Goliath as your network of vulnerabilities.If these vulnerabilities keep growing day by day, it will eventually make Goliath stronger, leaving David totally weak.
Now what David did was, he used a sling to hit Goliath and finally defeated him. That’s exactly what your system administrators have to do, they need to take the right tool to defeat this Goliath of vulnerabilities.
Let’s start our journey in understanding desktop security.
How dangerous can a vulnerability be to your enterprise?
Let’s look into some real-time scenarios for understanding the need for Desktop Security,
Scenario 1:
Heartbleed Bug incident that created a huge security breach for most of the websites. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. It allows attackers to eavesdrop on communications, steal data directly from the services and users, to impersonate services for users. Two out of three websites were affected by this bug.
Scenario 2:
Operation clandestine fox for Internet explorer, is a vulnerability in internet explorer which allows the attacker to get the complete information of the victim’s computer. It affected the IE version 6 and above whenever a user visited a malicious website. According to Fire eye’s security analysis forum, the vulnerabilities discovered by cyber criminals remain unknown. Since the threat caused by this bug remains unknown, hope it would have caused some serious consequences.
Scenario 3:
There was a big incident in Adobe flash last year. Successful exploitation of this vulnerability, will allow the attacker to take control of the user system who uses adobe flash, if the vulnerability was not patched. Now adobe released patch for this vulnerability only after 4 days, which made the system administrator to patch all the systems in 2 or 3 days before any attacker will exploit this vulnerability.
How to tackle these situations and achieve desktop security?
System administrators have to deal with these complex vulnerabilities and also act quickly to avoid security breach into your enterprise and ensure desktop security. With a heterogeneous platform system administrators will find it difficult to handle these vulnerabilities, adding to all these critical updates, non-critical updates and zero day updates are going to make his work an absolute headache.
System administrators are in need of a patch management software which can deal with all these complexity with at most simplicity. It has to scan and identify missing patches in your enterprise, test and deploy them automatically, help the system administrators to configure schedules for deployment of patches, disable automatic updates, exclude a group and deploy patches based upon user requirements, which will ultimately lead to better desktop security.
But will this alone help in desktop security?
System administrators has to deploy new software, deal with help desk tickets, keep a record of hardware and software that are connected to your network, troubleshoot remote systems, deal with downtime, deploy various configurations for computers and users. These are fundamental necessities for an effective desktop management and enhanced desktop security.
All system administrators can be smart:
Not every system administrator will same amount of knowledge and expertise but they need to handle their assigned networks and desktops effectively. Here are some points that will make them smart.
▪ Software usage has to be metered to understand the usage level of each software so that the licenses can be bought after analysing their usage.
▪ Identifying and uninstalling prohibited software from your network.
▪ Blocking Exe’s that are strictly prohibited.
▪ Managing your mobile devices and having a hold on your enterprise devices right from your desk and even on move is definitely going to make system administrators king of network management.
Managing desktop with the right procedure will make way for secured enterprise, which we can rephrase as “Enterprise security depends on Desktop Security”
So how can we achieve desktop security so easily?
There are few market players who are good at this, for example SCCM provides almost everything except one major feature, that is “Third Party Patching”*, technicians have to go for a Add on or extension to the original package, apart from this chat support, rebranding and block EXE features are not yet available with SCCM. There is one solution which can help you in everything, including third-party patch management and anti-virus protection, that is ManageEngine Desktop Central.
It is a Web-based Windows software application for desktop administration. This solution works on server and client based model. Initially you need to install a Desktop Central server in a system and then install a agent in another computer on demand or manually which you want to manage and that’s all you are ready to start managing that system remotely.
Let’s look into Desktop Central’s architecture in detail.
*ManageEngine has also Add-On for SCCM called Patch Connect Plus, that helps in Non-Microsoft patching for 250+ third party applications, that starts at just $495 dollars for 100 computers and single user license
Desktop Central LAN Architecture
The LAN architecture of Desktop Central comprises the following components:
● Server
● Agent
● Patch Database
● Web Console
● Active Directory
Desktop Central Components in detail
Server
The Desktop Central server is located in the customer’s site. For example, the customer’s head office. This server enables the completion of various desktop-management tasks to help administrators manage computers in the company’s network effectively.
Some of the tasks include the following,
● Installing the agent in computers in the customer’s network
● Deploying configurations
● Scanning for inventory and patches
● Generating reports. For example, reports related to Active Directory infrastructure components
It is recommended that the Desktop Central server is not switched off. It should be switched on constantly to complete various desktop-management tasks on a daily basis. All the desktop-management tasks can be completed using Desktop Central’s Web-based administration console.
Agent
The Desktop Central agent is a lightweight software application that is installed in computers which are managed using Desktop Central. It is installed automatically in the computers in a LAN. It helps to complete various tasks that are initiated in the Desktop Central server.
For example, if you want to uninstall a software application from a computer in your network, you can make the required settings for this task in the Desktop Central server. The agent replicates these settings and ensures that the task is completed effectively. The agent also updates the Desktop Central server with the status of configurations that are deployed. It checks the Desktop Central server periodically for instructions related to tasks and completes the same.
Patch Database
The patch database is a portal on the ManageEngine Web site. It hosts the latest vulnerability database that is published after patches have been tested. The Desktop Central server synchronizes this information periodically and scans the computers in the network to determine which patches are missing. The patches that are missing are installed in the computers that are missing them.
The communication between the Desktop Central server and the patch database takes place either through a proxy server or through a direct connection to the Internet. The required patches are downloaded from the respective vendors’ Web sites and stored in the Desktop Central server before deploying them to computers in the network. The agents copy the required patch binaries from the Desktop Central server.
Web Console
The Web console of Desktop Central provides a central point from where an administrator can manage all the tasks that are related to desktop management. This console can be accessed from anywhere. For example, it can be accessed through a LAN, WAN and from home using the Internet or a VPN. Separate client installations are not required to access the Web console.
Active Directory
In an Active Directory-based domain setup, the Desktop Central server gathers data from the Active Directory to generate the reports for the following,
● Sites
● Domains
● Organizational Units (OUs)
● Groups
● Computers
This enables administrators to access all the information that is stored by the Active Directory.
Desktop Central WAN Architecture
The WAN architecture of Desktop Central comprises the following components,
● Server
● Distribution Server
● Agent
● Web Console
Desktop central WAN architecture brings one extra component to play that is Distribution server, the main purpose of this is to reduce the bandwidth consumption across enterprise branches.
Distribution Server
Desktop Central Distribution Server is light-weight software that is installed in one of the computers in the Branch Offices. This agent will communicate with the Desktop Central Server to pull the information for all the computers in that branch. The agents that reside in the branch office computers will contact the Distribution Server to get the information available to them and process the requests.
● Low bandwidth utilization as only one agent will contact the Server periodically
● Pulls the configuration details, software packages, patches to be installed, etc., from the Desktop Central Server and makes it available for the rest of the computers in the branch.
● Supports secured mode of communication (SSL/HTTPS) with the Server.
● Distribution Server installation is one-time and subsequent upgrades will be automatically performed.
Desktop Central’s MDM Architecture
- Any communication from Desktop Central to the device is routed through Apple Push Notification service (APNs) via TCP port 2195 for iOS devices and through GCM via TCP port 80 for Android Devices
- As per Apple IOS MDM protocol, all iOS devices maintain a dedicated TCP connection with APNs at TCP Port 5223. Desktop Central leverages this to wake up a device using APNs.
- Device communicates with Desktop Central Server for available instructions at port 8383 using a secured connection.
- Executes the instructions and reports back to Desktop Central Server with the status/data at port 8383 securely.
Advantage of using Desktop Central’s Mobile Device Management architecture
The advantages of using the MDM architecture of Desktop Central include the following,
● Agent less, Over-the-Air (OTA) Management.
● Uses Apple’s Push Notification Service/ Android GcM for communication.
● Profiles and Policies gets deployed immediately.
● All communications to and from the mobile device is secured.
Desktop Central Pricing
Desktop Central offers a fully functioning free version for 50 end points (25 desktops and 25 mobile devices). Its professional edition helps in managing 50 computers, with one technician access at $645 and manages desktops only in LAN, while its enterprise edition helps in managing 50 computers, with one technician access at $795 and manages desktops across LAN and WAN.
Add on’s available are MDM, Multi-Language packs and failover server support. MSP version is also available with them. ManageEngine Desktop Central is not only better in Desktop Security management but also economical, because they support flexible pricing, with different slab rates.
Do you want to manage your desktop for free 24/7 ?
ManageEngine satisfies this requirement too, it has a free tool called Free Windows Admin Tools which contains 15 free tools that helps you deal with all windows management issues, right from remote troubleshooting to remotely shutting down and restarting your user systems.
This is tool is completely free and has no hidden costs.
Free Windows Admin Tools- Screenshot
Well now we have looked into the general overview of ManageEngine Desktop Central and two other products.
I will continue posting about Desktop Central’s module wise features, enhancements, their capabilities, and necessity in desktop management in my future posts, until then keep your desktop security up and stay connected.
UseIT | Roman Levchenko 
Reblogged this on Lionel Messi.
Thanks for such a useful article Roman.