According to a paper from the Center for Strategic and International Studies (CSIS), the vast majority of successful security breaches to corporate networks are made using basic techniques. By implementing just a small number critical security controls you could remove 85 to 90% of threats. In previous articles I discussed the benefits of patching applications and operating systems, which cover two of the controls, and also covered the benefits and challenges surrounding application whitelisting, which covers a third critical security control. In this article I aim to cover a fourth critical control; removing administrative rights from the user base.
What I want to make clear here is that I am not talking about system administrators that have a role to perform keeping the machines that we need in order, so we can do our jobs. I’m talking about users like you or I that typically need a machine to research on the internet, create documents, send and receive emails, maybe create a presentation, then perhaps present it. None of these activities require a level of access greater than that of a standard user, however you’d be surprised how many users out there have full administrative rights to the machine that they use on a daily basis. Why is that a bad thing? Let me explain.
The typical Windows PC/Laptop/Tablet is a smooth running, slick piece of kit when the user takes possession of it initially. The vast majority of applications that the user needs are installed and things are great. But what is one of the first things that a user does after getting a new Windows device? They install the apps they want. Now, this in itself isn’t necessarily a bad thing, but does stress a point.
Any application can be installed if the user has access to the installation media and what’s more important, the installer will run with administrative rights i.e. with full access to whatever device that it’s being installed onto.
If the application is from a reputable vendor, then that shouldn’t be a problem, but if the user is able to install whatever they want autonomously, how do you know that the application(s) that are being installed are not introducing unwanted and potentially dangerous additions to your environment? The truth is simple, you can’t.
By allowing the end user to install what they want, you are allowing them to install anything, which at some point could be applications containing malware, spyware, or worse. Any exploits that exist within the web browser of choice can be taken advantage of because the browser is running with the highest level of access to the system possible. Of course the vast majority of users won’t be deliberately doing anything wrong, they’re just installing the applications they want. The less desirable content is likely to be part of the download and installed without the knowledge of the user because the download has the rights it needs and has been designed to install silently.
A web browser with administrative rights is a risk to any corporate environment and exploits in these types of applications make a larger attack vector for any would-be-hacker.
There are a number of other challenges a user with administrative rights pose. A user that has administrative rights to a machine has the highest level of access possible, meaning the administrative user has the power to start and stop services, add and remove software, and generally make changes to the device even if the user doesn’t really know what they are doing.
I have spoken to a number of customers on this topic over the years and one thing rings true with each of them: they all understand that administrative users are a bad thing, however most openly admit they don’t actually know the scale of the problem. They know that they have unnecessary administrative users, but not how many exist in their environment, or who they are.
This is where technologies from 1E such as the Security Benchmark and Shopping can empower you by providing the data that is needed to solve the problem and allowing the flexibility users need so that they can download the applications they need without adding risk to your environment. If you want to know more about how 1E can help you and to request a free trial of any of our solutions, please contact us at firstname.lastname@example.org.