The New Windows Security – Achieving PC Lockdown without User Backlash in Five Easy Steps

Remember the good old days, when an anti-malware solution was “good enough” PC security? Life was easier back then. IT problems were simpler, and PCs seemed easier to maintain: Grant administrator privileges to a troublesome user, and his or her issues just melted away. Those days are over now. Managing that same network in today’s world requires greater effort and smarter solutions. Throwing administrator privileges at a user issue is no longer the everyday practice; it’s a resume-producing event. Today’s Windows security requires locking down PCs and their installed applications in new and unexpected places. Unapproved apps must be blocked from execution, and administrator privileges must be removed—all without impacting users.

Makes you miss the old days, doesn’t it?

Thankfully, new approaches are evolving to meet IT’s new demands. One can’t simply lock down a PC by eliminating administrator rights and blocking applications—not impacting users means treading lightly. You’ll need intelligent tools, a gentle touch and just the rightMonitor with lock displayed on screen amount of communication to achieve modern-day PC lock-down with user satisfaction.

Concerned about how to get there? Consider these five steps as your guide for PC lockdown success:

Step 1: Targeted approval

Step 2: Configuration Lockdown

Step 3: Selective elevation

Step 4: Integrated service desk

Step 5: User self-service

PC lockdown is a balancing act: organizations need to give users the tools and flexibility they need to do their jobs while avoiding the security, compliance and other risks that local administrative rights introduce. Implementing the best practices explored in this white paper requires the right tools. With the K1000 Management Appliance and Desktop Authority Management Suite, enterprises can maximize user productivity while also maintaining centralized control over security policies.

Download The New Windows Security – Achieving PC Lockdown without User Backlash in Five Easy Steps to learn more about these steps that will enable you to ensure that users get the most benefit from today’s information technologies, while also safeguarding the content and configuration of their systems.

Posted in New Posts | Leave a comment

Here’s what’s coming up in KACE Kontinuing Education

KACE Kontinuing Education (KKE) is an ongoing free supplement to JumpStart training. Each week we offer new topics and/or revisit popular ones. Pay close attention to the session time, language, and topics that you’re interested in. The complete list along with registration information, and recordings are always available at www.kace.com/KKESend ideas for topics you’d like added!





16-Apr 7 AM PST; 10 AM EST; 3 PM GMT English Understanding K1000 Log Files / Troubleshooting Tips
17-Apr 8 AM PST; 11 AM EST; 4 PM GMT English Technician Toolkits
22-Apr 8 AM PST; 11 AM EST; 4 PM GMT English Post Install Tasks…What’s after the OS?
23-Apr 7 AM PST; 10 AM EST; 3 PM GMT English K1000 – Advanced Software Distribution
24-Apr 8 AM PST; 11 AM EST; 4 PM GMT English Open Q&A Forum
29-Apr 7 AM PST; 10 AM EST; 3 PM GMT French Automatiser avec KACE
29-Apr 7 AM PST; 10 AM EST; 3 PM GMT Portuguese K2000 – Migrando para Windows 7 e 8
29-Apr 9 AM PST; 1 PM EST; 5 PM GMT English Patching Week 101: Basics and Beyond
30-Apr 7 AM PST; 10 AM EST; 3 PM GMT English K1000 – Scripting 101
1-May 9 AM PST; 1 PM EST; 5 PM GMT English Patching Week 201: Testing & Automation
6-May 9 AM PST; 1 PM EST; 5 PM GMT English Under the Microscope: K1 Agent
7-May 7 AM PST; 10 AM EST; 3 PM GMT English Getting the most out of the Software Catalog
Posted in Featured, New Posts | Tagged , , | Leave a comment

Dr. K’s Korner – Customer Q&A

Every month we take questions for Dr. K. and answer the best one in front of the world!

Have a question for Dr. K? Send an e-mail to kketeam@kace.com

QuestionDr. K- Is it possible to get instant alerts when software is detected/no longer detected? If so, how?

Answer: Well, not really “instant”, but you can get them pretty quickly. A few terminology things to keep in mind-

  • Alerts=Desktop Messaging; Displayed locally upon agent inventory.
  • E-Mail Alerts=E-mail to specific user about a condition; sent up to every 15 minutes.
  • Scheduled Reports=Highly customizable E-Mail; send up to every hour.

With that in mind, you might choose to use any or all of the options. For example- a good alert might be detecting the presence of unwanted software and displaying a desktop alert to the user reminding them of a policy; supplement that with a script or Managed Install to remove the software title. A good notification or report might be something like this:


There are many other examples of SQL and similar approaches on ITNinja. One of my favorite examples that shows some good efforts towards filtering out commonly accepted items such as patches is http://www.itninja.com/question/software-changes-history Adjust the interval portion to fit your desired schedule so you don’t get too much overlap. For example if I were running the report daily, I’d set the interval to INTERVAL 2 DAY but if I were getting mail hourly i’d likely set it to INTERVAL 90 MINUTE. Hope that helps!

Thanks for the question – I’ll get you a prize soon for picking your question!
—Dr. K

Posted in New Posts, Tech Talk | Tagged , , , , , | Leave a comment

Best Practices for Migration from Windows XP – Phase III: Deployment

Today, April 8, 2014, is the last ‘Patch Tuesday’ for PCs running on Windows XP.  No more support from Microsoft and no more patches fixing newly discovered security holes.  Even though the end of life date for XP has been known for years, Windows XP still remains the second most popular operating system out there behind Windows 7 – with approximately a fourth of the world’s PCs still running on Windows XP (slightly higher for consumer, slightly lower for businesses and government)[1].  If you have not migrated off of XP, it is time to start.  Dell Software has established a four-phase process for successful and timely migration of your devices from Windows XP to Windows 7 or 8, and provides the tools to automate and simplify each step:

This is the third in a series of four blog posts discussing each of these phases.

Phase III – Deployment:  Migration of systems and user content

Once you have inventoried your environment and decided what will be migrated over and have made sure that all of your applications will work on the new OS, the next step is the actual deployment of the new OS to your machines.  You can do a number of things to make this step faster and more reliable.

First, use a systems imaging solution that will allow you to create a small number of thin, hardware-independent “gold master” images that can easily be kept up to date.  Create a few core images and then layer unique drivers, updates, applications, configurations, and user settings on top of the image as required.  This allows you to significantly reduce the number and size of master images and greatly simplifies image management.

Second, use a solution that offers a centralized deployment system that supports network installations and installations to remote sites.  Forcing users to bring their PCs to IT for imaging or having IT visit each location can be a great resource drain as well as cause a significant loss in productivity during the migration process.  In addition, distributing images to each remote client separately can be an extremely bandwidth-intensive process.  Use a solution that can deploy images to systems over the network and to locations that have little or no on-site IT support and/or are subject to limited bandwidth availability.  A solution that can create replication servers on remote sites to act as local distribution points for deploying images – the image file is transferred once to a single host system at the remote site, which then deploys to image to local individual systems – can help with this process and greatly reduce bandwidth consumption.

Finally, use a solution that has automated system deployment functionality built in, including automation of complex pre- and post-installation tasks, such as user state migration, post OS installation of applications, and multiple system reboots.  By automating complex tasks, you can initiate unattended deployments during off-work hours, minimizing both the time consumed by IT and the disruption to end users.  If you are engaging in a large scale migration project and refreshing hardware as part of the process, a solution that can multicast – deploy an image to multiple systems simultaneously – can also greatly speed up the time it takes to get your systems off Windows XP.

The Dell KACE K2000 Deployment Appliance is the ideal solution for the Deployment Phase of your Windows Migration project.  The K2000 provides for deployment of thin, hardware independent “gold master” system images, making it easier to maintain a small number of up-to-date images, further minimizing post-installation tasks because they are editable and can be hardware-independent.  The K2000 also simplifies driver management by automatically downloading a feed of the latest drivers from Microsoft and Dell, which are organized by computer model.  In addition, the K2000 supports deployment over your network as well as through remote site servers that require no IT support and virtually no dedicated hardware at those remote sites.  Finally, K2000’s powerful task engine automates all systems deployment tasks, including disk imaging, OS and application provisioning, user state migration, and repair and recovery for systems that won’t boot.  The task engine provides real time communication between the K2000 and the systems being deployed and also is tightly integrated with K2000 multicast deployment capabilities.  This allows for true “lights off” deployment – the ability to set a large number of systems to image overnight, go home, and come back in the morning with the task complete.

To find out more about how the KACE Appliances can help you with your Windows Migration project, please see:

An upcoming Dell webcast on end of XP support by Microsoft

A joint IDC and Dell KACE webinar on Windows Migration

A Dell Whitepaper on Windows Migration


Posted in Featured, New Posts, Tech Talk | Tagged , , , , , , | Leave a comment

Dr. K’s Korner – Ideas For Success


This segment will take a look at Rich Trouton’s various shell scripting examples and how they might be useful when deploying OS X images. Rich is a Mac system admin and author of Der Flounder, an excellent resource for all things OS X administration. The following script examples can be found at Rich’s github repository. Many of these snippets will save you time from having to configure mundane settings or tweaking the more consumer oriented behavior of OS X. These scripts might be useful from the K1000, or the K2000- Depending on what you’re trying to accomplish, and when. Let’s dive into a few select portions of the scripting:

We can easily set/adjust a time zone during/after the imaging process so it’s set how we like it:

 # Run systemsetup -listtimezones to see what options you might want to use in $TimeZone- Example "US/Central" or "US/Eastern" # Set the time zone: /usr/sbin/systemsetup -settimezone $TimeZone

If ever we want to use a disk for Time Machine, we’ll set it up. No need to ask for every hard drive I attach. A simple bit of scripting that saves your help desk from getting calls whenever someone plugs in an external drive:

 # Disable Time Machine's pop-up message whenever an external drive is plugged in defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

Unify the Finder display format every time it opens so users can be more productive:

# Configure Finder to use Column View defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.finder "AlwaysOpenWindowsInColumnView" -bool true 

An excellent security tweak, this locks down the environment so users can’t either intentionally or accidentally login as root and seriously cause some damage to the local system:

 # Disable root login by setting root's shell to /usr/bin/false dscl . -create /Users/root UserShell /usr/bin/false

SSH allows for some remote management, like VNC that you might want/need as an administrator:

# Turn SSH on systemsetup -setremotelogin on

Disabling Gatekeeper isn’t necessarily a great idea, but it might be desired in some situations:

# Turn off Gatekeeper spctl --master-disable

As you can see, Mr. Trouton’s scripts can save you a lot of time and money. If you need to do something to one Mac, there’s a fair chance you need to do it to more, so write a script and make it easy! We have barely scratched the surface of all of the different scripts available, so do check out the github repository in addition to the endless possibilities that you’ll find via your favorite search engine. If you want to do something to multiple devices, there’s probably a solution out there- don’t be afraid to try and/or ask in ITNinja forums.

Posted in New Posts, Tech Talk | Tagged , , , , , , | Leave a comment