In-Depth
A 3-Step, Least-Risk Approach to Securing Windows 7
A best-practices approach and advice for securing your Windows 7 environment.
By Mark Austin, CTO, Avecto
Many articles have been written discussing the risks posed by admin rights. This isn't another one of those articles. If you don't understand the risks, or (even worse) have decided to turn a blind eye, nothing in this article is going to help you. Instead, this article assumes you not only understand, but are ready to tackle the problem. If you're ready to create a 'least risk' Windows 7 desktop, let's get started.
The biggest challenge of Windows 7 is that it's all or nothing. You either have standard user rights or admin rights -- there's no middle ground, and it's virtually impossible to strike the perfect balance. The reality is that users with admin rights introduce unacceptable levels of risk, so however daunting, the first thing you must do is revoke admin rights from users.
Step 1: Revoke admin rights
This is probably easier said than done in the majority of organizations. Do you know which users have admin rights? Even if you think you do, I would hazard a guess that there are more privileged users within your enterprise than you are actually aware of. Most organizations bestow admin rights on a case-by-case basis, and often under pressure to solve a problem; they fail to maintain a perfect record and revoke every account when it is no longer needed.
Microsoft offers a tool that can help. Microsoft Baseline Security Analyzer (MBSA) highlights potential security risks on your endpoints. In addition to scanning the endpoints and identifying potential security risks that may need remediation, MBSA will determine if there are more than two local admin accounts on an endpoint -- a clear indicator that there are local admins on those devices that need to be revoked.
Of course, if that were all that's needed, you'd be laughing and I'd be out of a job!
Revoking admin rights is just the tip of the iceberg. You must still face the ongoing problem of why you gave admin rights in the first place.
Step 2: Be forewarned (and thus forearmed)
You need to look at, and prepare for, what's driving the need for admin rights in your organization. By doing this you can develop strategies to overcome this ongoing requirement.
One place to start is to look at how you will fix problem applications in the future. Luckily, there are several approaches that you can use to tackle these issues:
--- Microsoft's Application Compatibility Toolkit (ACT) allows you to identify problems with particular applications and create shims (which alters the behavior of an application) to solve compatibility problems. ACT is not limited to fixing admin-related problems, but it does have a few shims that solve common admin-related issues in the file system and registry. It's not a fix for all programs, and it can be quite difficult and time-consuming to use, but it may give you some breathing room.
--- You can relax file and registry permissions, and I'm sure many readers are guilty of this, but it isn't something I would recommend, and certainly not to excess. I suggest using the free Process Monitor tool from Microsoft TechNet to identify file and registry access problems. However, by relaxing permissions on certain files and registry settings, you're weakening the security of the build. It's a bit like a knight taking his chain mail and cutting away sections so it doesn't chafe!
--- Virtualizing applications is a fairly common trend because of its many potential benefits. By virtualizing an application, you may find that a problem application can now run under a standard user account rather than requiring full admin rights. However, this should only be considered as part of a broader project to virtualize applications because it's a big undertaking. Again, don't expect it to solve all admin related issues, but it may fix some problem applications due to the virtualization of file and registry operations.
--- Running Windows XP mode in Windows 7 is often considered a solution for compatibility problems that can't be solved any other way, as some applications simply won't run on Windows 7. The principle here is that although you're running Windows 7, you're also running a Windows XP operating system in a virtual machine that's hidden. Applications in the Windows XP environment can be integrated into the Windows 7 start menu. Any applications that are launched from Windows XP will appear on the Windows 7 desktop as seamless windows. However, there is a downside in that you're running another operating system, albeit in a virtual machine, so it will need antivirus, regular patching, and other endpoint security software that runs as part of your standard operating environment. Again, this is a big undertaking and should only be considered as a last resort; most applications that require admin rights on Windows 7 tend to require admin rights on Windows XP, too.
Task Scheduler can be used to automatically launch tasks to run under the system account. It is limited -- any applications that run this way will not have access to the user's context or profile settings. That said, it may be useful for privileged scripts that users need to run where there is no interaction with the user once the application has been launched.
Even having gone through the approaches outlined above, the likelihood is there will still be applications that are causing problems. It could be that you can't fix some applications, or it may be that it's too difficult. In many cases, the applications will simply require admin rights to run.
Step 3: Bring in reinforcements
There will always be tasks that users need to run that can't be fixed without granting admin rights. However, as soon as you start temporarily granting admin rights, even to just one person, you're on a slippery slope back to the start of this article. Alternatively, technology could provide the answer.
Solutions are available that allow you to set up all your users with standard user accounts and elevate the individual applications and tasks that a user needs to perform their day-to-day role. If you do decide to explore this route, you will need to consider how the solution is controlled and managed. For example, you will want a technology that is centrally managed -- a solution that integrates seamlessly into Active Directory Group Policy provides a scalable, hierarchical, policy-based solution with delegated administration.
A strong end-user experience is also crucial when removing admin rights, so the technology should provide a flexible and fully customizable messaging capability. Clear communication can reduce or eliminate help desk calls and encourage user acceptance.
An additional benefit of using technology is in its ability to provide detailed audit trails, and if required, application forensics, so you can understand the behavior of privileged applications. This is especially relevant for compliance.
Time to Get Started
It's not going to be easy, but with a little determination, you can create the perfect balance between security and functionality -- standard users that are able to securely access the tools and application they need. Are you ready to take on the challenge and create a least-risk Windows 7 desktop?
Mark Austin is co-founder and CTO of Windows privilege management specialist Avecto, providing the company's technical strategy and leading its R&D activities. With over 20 years in the software industry, Mark has a wealth of experience in architecting and delivering enterprise-class software products.
Prior to starting Avecto, Mark was CTO of AppSense, where he was responsible for the company's technical vision, and grew the company to a global leader in user environment management.
Mark holds an Honors degree in Applied Computing and has a software engineering background in real-time computing, artificial intelligence, and systems programming. You can contact the author at info@avecto.com.