Least Privilege Security for Windows 7, Vista and XP


Least Privilege Security for Windows 7, Vista and XP
eBook: $35.99
Formats: PDF, PacktLib, ePub and Mobi formats
$30.59
save 15%!
Print + free eBook + free PacktLib access to the book: $95.98    Print cover: $59.99
$59.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Overview
Table of Contents
Author
Reviews
Support
Sample Chapters
  • Implement Least Privilege Security in Windows 7, Vista and XP to prevent unwanted system changes
  • Achieve a seamless user experience with the different components and compatibility features of Windows and Active Directory
  • Mitigate the problems and limitations many users may face when running legacy applications
  • Distribute applications, updates and ActiveX Controls to least privilege users with Group Policy, application virtualization and the ActiveX Installer Service
  • Ensure reliable remote access for IT administrators to support users by configuring support features and firecall access

Book Details

Language : English
Paperback : 464 pages [ 235mm x 191mm ]
Release Date : July 2010
ISBN : 1849680043
ISBN 13 : 9781849680042
Author(s) : Russell Smith
Topics and Technologies : All Books, Microsoft Other, Networking and Servers, Enterprise, Microsoft


Table of Contents

Preface
Chapter 1: An Overview of Least Privilege Security in Microsoft Windows
Chapter 2: Political and Cultural Challenges for Least Privilege Security
Chapter 3: Solving Least Privilege Problems with the Application Compatibility Toolkit
Chapter 4: User Account Control
Chapter 5: Tools and Techniques for Solving Least Privilege Security Problems
Chapter 6: Software Distribution using Group Policy
Chapter 7: Managing Internet Explorer Add-ons
Chapter 8: Supporting Users Running with Least Privilege
Chapter 9: Deploying Software Restriction Policies and AppLocker
Chapter 10: Least Privilege in Windows XP
Chapter 11: Preparing Vista and Windows 7 for Least Privilege Security
Chapter 12: Provisioning Applications on Secure Desktops with Remote Desktop Services
Chapter 13: Balancing Flexibility and Security with Application Virtualization
Chapter 14: Deploying XP Mode VMs with MED-V
Index
  • Chapter 1: An Overview of Least Privilege Security in Microsoft Windows
    • What is privilege?
    • What is Least Privilege Security?
      • Limiting the damage from accidental errors with Least Privilege Security
      • Reducing system access to the minimum with Least Privilege Security
    • Least Privilege Security in Windows
      • Windows 9.x
      • Windows NT (New Technology)
      • Windows 2000
      • Windows XP
      • Windows Vista
      • Windows 7
    • Advanced Least Privilege Security concepts
      • Discretionary Access Control
      • Mandatory Access Control
      • Mandatory Integrity Control
      • Role-based Access Control
    • Least Privilege Security in the real world
    • Benefits of Least Privilege Security on the desktop
      • Change and configuration management
      • Damage limitation
      • Regulatory compliance
      • Software licensing
    • What problems does Least Privilege Security not solve?
    • Common challenges of Least Privilege Security on the desktop
      • Application compatibility
      • System integrity
      • End user support
    • Least Privilege and your organization's bottom line
      • Determining the affect of Least Privilege Security on productivity
      • Reducing total cost of ownership
      • Improved security
    • Summary
  • Chapter 2: Political and Cultural Challenges for Least Privilege Security
    • Company culture
      • Defining company culture
      • Culture shock
      • Culture case studies
        • Company A
        • Company B
    • Getting support from management
      • Selling Least Privilege Security
        • Using key performance indicators
        • Using key risk indicators
        • Mapping CSFs to KPIs
        • Security metrics
        • Threat modeling
        • Reducing costs
        • Security adds business value
      • Setting an example
    • User acceptance
      • Least Privilege Security terminology
      • Justifying the decision to implement Least Privilege Security
    • Applying Least Privilege Security throughout the enterprise
      • Deciding whom to exempt from running with a standard user account
        • What not to do
    • Managing expectations
      • Service catalog
      • Chargebacks
    • Maintaining flexibility
    • User education
    • Summary
  • Chapter 3: Solving Least Privilege Problems with the Application Compatibility Toolkit
    • Quick compatibility fixes using the Program Compatibility Wizard
      • Applying compatibility modes to legacy applications
      • Program Compatibility Wizard
      • Program Compatibility Assistant
        • Disabling the Program Compatibility Assistant
        • Excluding executables from the Program Compatibility Assistant
    • Achieving application compatibility in enterprise environments
      • Compatibility fixes
        • Modifying applications using shims
        • Enhancing security using compatibility shims
        • Deciding whether to use a shim to solve a compatibility problem
      • Creating shims for your legacy applications
      • Solving compatibility problems with shims
        • LUA compatibility mode fixes in Windows XP
        • Creating your own custom database
        • Maxthon on Windows XP
        • Working with other commonly used compatibility fixes
      • Working with custom databases
        • Adding new shims to your custom database (merging custom databases)
        • Temporarily disabling compatibility fixes
        • Installing a custom database from Compatibility Administrator
        • Deploying a database to multiple devices
    • Summary
  • Chapter 4: User Account Control
    • User Account Control components
      • Elevation prompts
      • Protected administrator (PA)
      • Windows Integrity Control and User Interface Privilege Isolation
      • Application Information Service
      • Filesystem and registry virtualization
      • Internet Explorer Protected Mode
    • The shield icon
    • User Account Control access token model
      • Standard user access token
      • Protected administrator access token
    • Conveniently elevating to admin privileges
      • Automatically launching applications with admin privileges
      • Consent and credential elevation prompts
      • Application-aware elevation prompts
      • Administrator accounts
      • Elevation prompt security
      • Securing elevated applications
        • Windows Integrity Mechanism
        • User Interface Privilege Isolation
      • Achieving application compatibility
        • Application manifest
        • Power Users
        • Windows Logo Program
      • Filesystem and registry virtualization
        • Filesystem virtualization
        • Registry virtualization
      • Windows Installer and User Account Control
        • Automatically detecting application installers
      • Controlling User Account Control through Group Policy
        • Admin Approval Mode for the built-in administrator account
        • Allowing UIAccess applications to prompt for elevation without using the secure desktop
        • Behavior of the elevation prompt for administrators in Admin Approval Mode
        • Behavior of the elevation prompt for standard users
        • Detect application installations and prompt for elevation
        • Only elevate executables that are signed and validated
        • Only elevate UIAccess applications that are installed in secure locations
        • Run all administrators in Admin Approval Mode
        • Switch to the secure desktop when prompting for elevation
        • Virtualize file and registry write failures to per-user locations
      • What's new in Windows 7 User Account Control
        • User Account Control slider
        • Auto-elevation for Windows binaries
        • More settings accessible to standard users
    • Summary
  • Chapter 5: Tools and Techniques for Solving Least Privilege Security Problems
    • Granting temporary administrative privileges
      • Granting temporary administrative access using a separate logon (Vista and Windows 7 only)
        • Creating three support accounts
        • Creating a policy setting to automatically delete the support account at logoff
        • Testing the support accounts
        • Putting into practice
      • Granting temporary administrative access without a separate logon
        • Creating a batch file to elevate the privileges of the logged in user
        • Testing the procedure
        • Limitations of the procedure
    • Bypassing user account control for selected operations
      • Using Task Scheduler to run commands with elevated privileges
        • Running the Scheduled Task as a standard user
    • Configuring applications to run with elevated privileges on-the-fly
    • Solving LUA problems with Avecto Privilege Guard
      • Defining application groups
      • Defining access tokens
      • Configuring messages
      • Defining policies
      • Solving LUA problems with Privilege Manager
        • Defining Privilege Manager rules
    • Suppressing unwanted User Account Control prompts
      • Modifying application manifest files
        • Editing manifests using Resource Tuner
        • Modifying manifests using the RunAsInvoker shim
    • Setting permissions on files and registry keys
      • Identifying problems using Process Monitor
      • Modifying permissions on registry keys and files with Group Policy
    • Fixing problems with the HKey Classes Root registry hive
      • Using Registry Editor to copy keys from HKCR to HKCU
    • Mapping .ini files to the registry
    • Using LUA Buglight to identify file and registry access violations
    • Summary
  • Chapter 6: Software Distribution using Group Policy
    • Installing software using Group Policy
      • Installing software using Windows Installer
      • Deploying software using Group Policy
      • Comparing Group Policy Software Installation with system images for software distribution
        • Choosing between thin and fat images
      • Preparing applications for deployment
        • Extracting .msi files from setup packages
        • Using command-line switches for silent installs and customization
        • Deploying system changes using Group Policy startup scripts
        • Creating an .msi wrapper
        • Repackaging an application with a legacy installer
      • Customizing an installation package
        • Customizing Acrobat Reader's MSI installer using Adobe Customization Wizard 9
      • Using the Distributed File System with GPSI
        • Creating a DFS namespace
        • Adding a folder to the namespace
      • Deploying software using GPSI
        • Configuring software installation settings
        • Targeting devices using WMI filters and security groups
      • Upgrading software with GPSI
      • Uninstalling software with GPSI
        • Removing software when it falls out of scope of management
        • Removing .msi packages from Group Policy Objects
    • Summary
  • Chapter 7: Managing Internet Explorer Add-ons
    • ActiveX controls
      • Per-user ActiveX controls
        • Changing the installation scope to per-user
      • Best practices
      • Deploying commonly used ActiveX controls
        • Deploying Adobe Flash and Shockwave Player
        • Deploying Microsoft Silverlight
      • ActiveX Installer Service
        • Enabling the ActiveX Installer Service
        • Determining the ActiveX control host URL in Windows 7
        • Determining the ActiveX control host URL in Windows Vista
        • Configuring the ActiveX Installer Service with Group Policy
        • Testing the ActiveX Installer Service
    • Managing add-ons
      • Administrator approved controls
        • Determining the Class Identifier CLSID of an installed ActiveX control
        • Adding ActiveX controls to the Add-on List
    • Summary
  • Chapter 8: Supporting Users Running with Least Privilege
    • Providing support
      • Preparing to support least privilege
    • Troubleshooting using remote access
      • Troubleshooting for notebook users
        • The notebook challenge
        • Having the right tools in place
        • Notebook users who seldom visit the office
        • Setting out IT policy
        • Other functions the help desk might require
        • The last resort: An administrative backdoor for notebooks
    • Enabling and using command-line remote access tools
      • WS-Management
        • Configuring WS-Management with Group Policy
        • Connecting to remote machines using WS-Management
      • Automating administration tasks using PowerShell Remoting
    • Enabling and using graphical remote access tools
      • Enabling Remote Assistance
        • Different types of Remote Assistance
        • Enabling Remote Assistance via Group Policy
        • Offering a computer unsolicited Remote Assistance: DCOM
        • Sending Remote Assistance invitations
        • Initiating Remote Assistance from the command line
        • Connecting to remote PCs using Easy Connect
      • Remote Desktop
      • Connecting to a remote computer using the Microsoft Management Console (MMC)
    • Configuring Windows Firewall to allow remote access
      • Creating a GPO for Windows Firewall in Windows 7
        • Importing Windows 7 Firewall rules to a GPO
        • Modifying the default Windows Firewall rules
        • Adding additional inbound exceptions for remote administration
        • Creating a WMI filter to restrict the scope of management to Windows 7
        • Linking the new GPO to the Client OU
        • Checking the GPO applies to Windows 7
      • Creating a GPO for Windows Firewall in Vista
        • Enabling the Remote Assistance and Remote Administration inbound exceptions for the Domain profile
        • Creating a WMI query for Windows Vista
      • Creating a GPO for Windows Firewall in Windows XP
        • Configuring GPO settings
        • Creating an exception for WS-Management
        • Creating an exception for Remote Desktop
        • Creating an exception for Remote Administration
        • Creating an exception for Remote Assistance
        • Creating a WMI filter to restrict the scope of management to Windows XP
        • Linking the new GPO to the Client OU
    • Summary
  • Chapter 9: Deploying Software Restriction Policies and AppLocker
    • Controlling applications
      • Blocking portable applications
      • Securing Group Policy
        • Preventing users from circumventing Group Policy
    • Implementing Software Restriction Policy
      • Creating a whitelist with Software Restriction Policy
        • Defining hash rules
        • Defining path rules
        • Trusting software signed by a preferred publisher (Certificate Rules)
        • Making exceptions for IE zones (Network/Internet Zone Rule)
      • Creating a whitelist with Software Restriction Policy
      • Configuring applications to run as a standard user
    • AppLocker
      • Automatically generating AppLocker rules
      • Manually creating an AppLocker rule to blacklist an application
      • Importing and exporting AppLocker rules
    • Summary
  • Chapter 10: Least Privilege in Windows XP
    • Installing Windows XP using the Microsoft Deployment Toolkit
      • Providing a Volume License product key for an MDT XP Task Sequence
    • Windows XP security model
      • Power users
      • Network Configuration Operators
      • Support_<1234>
      • User rights
        • Modifying logon rights and privileges
    • CD burning
      • Third-party CD/DVD burning software
        • Nero Burning ROM
        • Allowing non-administrative users to burn discs in CDBurnerXP
      • Additional security settings
        • Restricting access to removable media
    • ActiveX controls
      • Flash Player
      • Acrobat Reader
      • Silverlight
      • Other popular ActiveX controls
        • RealPlayer
        • QuickTime
        • Sun Java Runtime Environment
        • Alternatives to QuickTime and RealPlayer
    • Changing the system time and time zone
      • Changing the system time
      • Changing the time zone
        • Setting time zone registry permissions using a GPO
    • Power management
      • Managing power settings with Group Policy Preferences
        • Creating a GPO startup script to install GPP CSEs
        • Configuring power options using Group Policy Preferences
      • Configuring the registry for access to power settings
    • Managing network configuration
      • Configuring Restricted Groups
    • Identifying LUA problems using Standard User Analyzer
    • Summary
  • Chapter 11: Preparing Vista and Windows 7 for Least Privilege Security
    • The Application Compatibility Toolkit
      • Application Compatibility Manager
      • Installing and configuring ACT
    • Creating a Data Collection Package
      • Analyzing data collected by ACT
    • Printers and Least Privilege Security
      • Installing printers using Group Policy Preferences
      • Installing printers using Windows Server 2003 Print Management and Group Policy
      • Installing printers using a script
    • Logon scripts
      • Synchronizing the system time
      • Updating antivirus definitions
      • Changing protected system configuration
      • Mapping network drives and printers
      • Creating desktop shortcuts
    • Why do a desktop refresh from a technical perspective?
    • Different methods of reinstalling Windows
      • Manual, non-destructive install
      • Automated install
    • Reinstall Vista or Windows 7 with Least Privilege Security
      • Installing the Microsoft Deployment Toolkit
      • Creating a deployment share
      • Adding an operating system image
      • Adding core packages to our Lite Touch installation
      • Updating our deployment share
      • Preserving default local group membership
      • Refreshing our OS with the Windows Deployment Wizard
    • Summary
  • Chapter 12: Provisioning Applications on Secure Desktops with Remote Desktop Services
    • Introducing Remote Desktop Services
      • Installing Remote Desktop Session Host and Licensing roles
      • Controlling access to the Remote Desktop Server
      • Installing the Remote Desktop Gateway
        • Creating Connection (CAP) and Resource (RAP) Authorization Policies
        • Installing the RD Gateway SSL Certificate in Windows 7
        • Connecting to a Remote Desktop Server via an RD Gateway from Windows 7
      • Installing applications on Remote Desktop Servers
        • Publishing applications using Remote Desktop Services
      • Managing Remote Desktop Services licenses
        • Understanding Remote Desktop Licensing
        • Revoking Per Device Remote Desktop Services Client Access Licences
        • Tracking Per User Remote Desktop Services Client Access Licences
      • Installing Remote Desktop Web Access
        • Configuring RSS for advertising RemoteApps in Windows 7
      • Understanding Remote Desktop and Virtual Desktop Infrastructures
      • Scaling with Remote Desktop Services
    • Summary
  • Chapter 13: Balancing Flexibility and Security with Application Virtualization
    • Microsoft Application Virtualization 4.5 SP1 for Windows desktops
      • Isolating applications with SystemGuard
        • Deploying App-V
      • Creating a self-service system with App-V for standard users
        • Enforcing security descriptors
        • Emulating Application Programming Interface (API)
        • Solving App-V compatibility problems with shims
      • Sequencing an application for App-V
        • Installing the sequencer
        • Installing the client
      • Streaming applications with an App-V Server
        • Installing Microsoft System Center Application Virtualization Streaming Server
      • Deploying and managing applications for users who never connect to the corporate intranet
      • Updating applications and Differential Streaming
        • Active Update
        • Override URL
    • VMware ThinApp
    • Summary
  • Chapter 14: Deploying XP Mode VMs with MED-V
    • Solving least privilege security problems using virtual machines
      • Virtual PC and Windows 7 XP Mode
        • Differentiating between App-V and XP Mode
        • Setting up Windows 7 XP Mode
        • Launching applications installed in XP Mode from the Windows 7 Start menu
        • Security concerns when running XP Mode
    • Microsoft Enterprise Desktop Virtualization (MED-V)
      • Installing MED-V 1.0 SP1
        • Installing the Image Repository
        • Installing the MED-V Server component
        • Installing the MED-V Management Console
      • Preparing a virtual machine for use with MED-V
      • Working with the MED-V Management Console
        • Importing a VM for testing
        • Creating a usage policy
        • Testing the workspace and usage policy
        • Packing the VM for use with the MED-V Server
        • Uploading the VM image to the MED-V Server
        • Testing the uploaded VM image
    • Summary

Russell Smith

Russell Smith is an independent IT consultant who specializes in management and security of Microsoft-based IT systems. An MCSE with more than ten years experience, his recent projects include Active Directory Security Consultant for the UK Health Service National Programme for Information Technology (NPfIT) and Exchange Architect for Wipro Technologies.  Russell is a regular contributor to industry journals Windows IT Professional, Security Professional VIP, CDW's Biztech Magazine and a contributing author to Supporting and Troubleshooting Applications on a Microsoft Windows Vista Client for Enterprise Support Technicians from Microsoft's Official Academic Course (MOAC) series of books published by Wiley and Sons. Russell also has extensive experience as an IT trainer.

Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.

Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

Least Privilege Security for Windows 7, Vista and XP +    Oracle 11g R1 / R2 Real Application Clusters Handbook =
50% Off
the second eBook
Price for both: $65.60

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

  • Explore the principle of Least Privilege Security and implement it across different versions of Microsoft Windows
  • Overcome the most common technical challenges of implementing Least Privilege Security on the desktop
  • Apply Least Privilege Security to different categories of users and get buy-in from management
  • Identify any potential compatibility problems with Least Privilege Security and software installed on networked PCs using Microsoft's Application Compatibility Toolkit (ACT)
  • Prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings
  • Configure User Account Control on multiple computers using Group Policy
  • Modify incompatible applications and achieve the best balance between compatibility and security by using Application Compatibility shims
  • Deploy applications using Group Policy Software Installation (GPSI) and Windows Installer and create MSI wrappers for legacy setup programs
  • Install per-machine ActiveX Controls using the ActiveX Installer Service (AxIS)
  • Deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run and blacklist applications using SRP or AppLocker

Here is a brief summary of what each chapter covers:

Chapter 1: An Overview of Least Privilege Security in Microsoft Windows
Explore the principle of Least Privilege Security and implement it in different versions of Microsoft Windows. Control and change system privileges. Benefit from implementing Least Privilege Security on the desktop and overcome the most common technical and political problems and challenges when implementing Least Privilege Security.

Chapter 2: Political and Cultural Challenges for Least Privilege Security
Understand the reasons why users may not accept Least Privilege Security on the desktop. Clearly explain and justify the benefits of Least Privilege Security for your organization. Apply Least Privilege Security to different categories of users and get buy-in from management.

Chaper 3: Preparing Vista and Windows 7 for Least Privilege Security
Collect and analyze data to identify any potential compatibility problems with Least Privilege Security and software installed on networked PCs using Microsoft's Application Compatibility Toolkit (ACT). Analyze logon scripts for Least Privilege compatibility. Prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings.

Chapter 4: Least Privilege in Windows XP
Redeploy Windows XP with Least Privilege Security using the Microsoft Deployment Toolkit. Identify problems with applications caused by Least Privilege Security using the Application Compatibility Toolkit. Mitigate the problems and limitations users may face when running with a Least Privilege Security account. Handle ActiveX controls in Windows XP.

Chapter 5: User Account Control
Achieve a seamless user experience by using the different components and compatibility features of User Account Control. Configure User Account Control on multiple computers using Group Policy and understand the inner workings of User Account Control's core components.

Chapter 6: Supporting Users Running with Least-Privilege
Support Least-Privilege user accounts using reliable remote access. Connect to remote systems with administrative privileges using different techniques. Enable remote access using Group Policy and Windows Firewall.

Chapter 7:Microsoft Windows Application Compatibility Infrastructure
Modify incompatible applications on the fly and achieve the best balance between compatibility and security by using Application Compatibility shims. Create shims using Application Compatibility Toolkit 5.5 and distribute compatibility databases to devices across the enterprise.

Chapter 8: Software Distribution using Group Policy
Prepare to deploy applications using Group Policy Software Installation (GPSI) and Windows Installer. Repackage legacy setup programs in Windows Installer .msi format. Make GPSI more scalable and flexible using the Distributed File System (DFS). Target client computers using Windows Management Instrumentation (WMI) filters and Group Policy Scope of Management.

Chapter 9: Internet Explorer Add-on Management
Support per-user and per-machine ActiveX Controls and manage Internet Explorer add-ons via Group Policy. Install per-machine ActiveX Controls using the ActiveX Installer Service (AxIS). Implement best practices for working with ActiveX Controls in a managed environment.

Chapter 10: Software Restriction Policies and AppLocker
Deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run. Force an application to launch with standard user privileges even if the user is an administrator. Blacklist an application using SRP or AppLocker.

In Detail

Least Privilege Security is the practice of assigning users and programs the minimum permissions required to complete a given task. Implementing this principle in different versions of Microsoft Windows requires careful planning and a good understanding of Windows security. While there are benefits in implementing Least Privilege Security on the desktop, there are many technical challenges that you will face when restricting privileges.

This book contains detailed step-by-step instructions for implementing Least Privilege Security on the desktop for different versions of Windows and related management technologies. It will provide you with quick solutions for common technical challenges, Microsoft best practice advice, and techniques for managing Least Privilege on the desktop along with details on the impact of Least Privilege Security.

The book begins by showing you how to apply Least Privilege Security to different categories of users. You will then prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings. You will identify problems with applications caused by Least Privilege Security using the Application Compatibility Toolkit. This book will help you configure User Account Control on multiple computers using Group Policy and support Least Privilege user accounts using reliable remote access. Then, you will modify legacy applications for Least Privilege Security, achieving the best balance between compatibility and security by using Application Compatibility shims. You will install per-machine ActiveX Controls using the ActiveX Installer Service (AxIS). The book will help you implement best practices for working with ActiveX Controls in a managed environment. Finally, you will deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run and blacklist applications using SRP or AppLocker.

A practical handbook containing detailed step-by-step instructions for implementing Least Privilege Security on Windows systems

Approach

This practical handbook has detailed step-by-step instructions for implementing Least Privilege Security and related management technologies. It has solutions to the most common technical challenges and Microsoft best practice advice. It also covers techniques for managing Least Privilege on the desktop.

Who this book is for

This book is for System Administrators or desktop support staff who want to implement Least Privilege Security on Windows systems.

Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software