In-Depth

Removing Admin Rights Dramatically Cuts Vulnerabilities, Study Finds

One of the biggest threats facing your organization is already installed on your desktops: admin rights for end users

• By Stephen Swoyer
• 02/10/2009

A new report suggests that one of the biggest threats facing your organization is already installed on your desktops -- in the form of end users armed with (needless) “Administrator” rights.

The situation persists in spite of all common sense -- and established best practices. The bulk of Microsoft’s critical vulnerability reports, for example, advise IT pros to lock down user accounts in order to mitigate the effects of critical vulnerabilities. Mainframe professionals say the simplicity of the Big Iron security model is one of the chief reasons their systems are more secure than others. In the Big Iron model, all permissions are explicitly denied by default. If a permission or right isn’t explicitly specified, a user can’t perform it.

The opposite is the case in Windows environments. In the Windows world, even more than in the Unix and Linux worlds, where there’s considerably more resistance to parceling out (much less logging in under) root or su accounts, administrator accounts are nearly all-powerful. They’re just about all-pervasive, too, according to a new report from security vendor BeyondTrust Corp.

According to BeyondTrust’s study, simply taking administrator rights away from end users would have mitigated more than two-thirds of all of the security vulnerabilities Microsoft disclosed last year. The upshot, BeyondTrust says, is that by configuring user accounts with restricted privileges, shops can help protect against malware or zero-day threats.

“[B]y removing administrator rights, companies will harden their endpoint security against the exploitation of 94 percent of Microsoft Office, 89 percent of Internet Explorer, and 53 percent of Microsoft Windows vulnerabilities,” the report says. “Of the total published vulnerabilities, 69 percent are mitigated by removing administrator rights.”

The overwhelming majority (87 percent) of the most serious threats -- i.e., remote code execution exploits -- could be severely constrained, albeit not eliminated entirely, by reining in administrator-level account privileges, BeyondTrust argues. For example, of the 119 remote code execution vulnerabilities Microsoft published last year, just 13 percent didn’t rely on administrator-level usage rights.

As additional proof, BeyondTrust cites TCO research from Gartner Inc. to clinch its case. “The Gartner TCO model shows a significant reduction in TCO between a managed desktop where the user is an administrator, compared with a desktop where the user is a standard user. Among the most remarkable observations is that the model shows a 24 percent decrease in the amount of IT labor needed for technical support,” write analysts Michael Silver and Ronni Colville in Gartner’s “Organizations That Unlock PCs Unnecessarily Will Face High Costs” report, published in December of last year.