As every admin knows, controlling what your users can actually do on your network is an uphill task. The latest attempt to deal with the endpoint security, with tools appearing from a variety of directions - from Microsoft itself, from NAC (network access control) suppliers, and from developers specialising in system deployment and management, such as Altiris, LANdesk, ScriptLogic and others.

However, simply preventing users from doing certain things omits other parts of the puzzle - and can even make things worse if it doesn't take proper account of circumstance or location, argues Christine Ewing, security & compliance market segment manager at Altiris.

"We need to integrate mitigation capabilities to harden networks," she says. "But problems restart once the user gets hold of the system - they add USB devices, connect to wireless LANs... So you need to look at putting controls on how data can leave the system, without that impacting on user productivity."

She says that while it all starts with policies, it's vital that they be granular and flexible, plus there also have to be policies for when things do go wrong.

"We look at recommendations from various sources and translate those into templates," she adds. "That process highlights the elements most likely to cause a system breach. The important thing is to close the loop by adding a remediation process."

Some of those risks aren't always obvious. For example, most PCs will have an admin-level password, and if a user learns that, it might not just be the machine on their own desk that it gives them access to. "Local admin passwords are an oft-ignored risk," Ewing explains. "The tendency is to use the same one for all of an organisation's PCs."

So Altiris has come up with software that automatically generates randomised passwords for machines, which it then stores in its master configuration database.

Location, location, location

An increasingly important factor when it comes to controlling a user's activity is their current location, Ewing adds. "Organisations try to control by saying things are not allowed, but that doesn't work," she says. "So you need the ability to flexibly control policy, dependent on where the user is, using a location-aware agent."

Her argument is that some activities are safe in the office but might be dangerous at home, say, while others might be appropriate for use on the road but not in the office. That means you might want to allow users to copy data to an encrypted USB stick, but not an ordinary one, or enforce their use of a VPN when connecting through a public Wi-Fi hotspot. Similarly, you might want to make a device read-only when it's out of the office, or block data transfers via infra-red or Bluetooth.

She continues, "Our control is more granular than Vista's, for example. We can define locations, types of devices, the type of wireless networks to connect to the level of encryption required, and so on."

Defend the desktop

One other area to worry about when it comes to defending your organisation's data is to keep control of what software is running on your machines, Ewing says.

So endpoint security needs to include a personal firewall and application control software. Ewing says that unlike the Windows XP firewall, which relies on the user to make the right decision in response to a system prompt, the Altiris endpoint software also modifies the user's ability to install or execute programs.

(Incidentally, Microsoft has reportedly dropped application rights management from Longhorn. However it has also acquired similar technology via its purchase of Winternals, which had developed tools to block users from running or installing apps without authorisation, so it may yet reappear on the menu.)

Ewing points out that the threat comes not just from Trojans and worms, but from genuine but unauthorised software which could allow users to leak data out, wittingly or unwittingly. And she says there are issues too with privileges, where applications can grab more authority than they or the user actually needs.

"Application control software can deny a keylogger from hooking the keyboard, for example," she said. "But you can also demote an application's privileges, for example to stop Internet Explorer running with admin rights - or promote a legacy app that needs admin privileges to run, without promoting the user as well."