Q&A: Administrator Rights and Enhanced Security
Administrator rights let users do everything on a system, but these rights are also the target of malware and other vulnerabilities.
Administrator rights let users do everything on a system. Unfortunately for security administrators, that's a huge problem. Malware and other vulnerabilities exploit this "do anything" ability, so turning off these rights may be good policy for your enterprise. Will users complain? Will turning off these rights hamper their ability to get their work done?
For answers we turned to John Moyer, CEO and president of BeyondTrust, a firm whose product enables the security best practice of Least Privilege in Windows environments.
Enterprise Systems: When it comes to security, what is the difference between an administrator and a standard user?
John Moyer: When users log into a Windows computer, they can either log in with administrator rights or standard user rights. The main difference is that with administrator rights, a user has complete control over the computer. With administrator rights, a user can install any software or change any security setting they wish. A standard user is granted no special privileges and does not have administrative control over the computer.
According to the security best practice of Least Privilege, users should only have the privileges necessary to perform their job. Every time a user is granted privileges that go beyond what is required for a specific task, the system is put at risk. In a Windows Least Privilege environment, end users are not entitled to local administrator rights.
How does removing administrator rights from employees enhance a company’s security? Is doing so cost-effective?
End users’ administrator rights can be used by unauthorized users, hackers, and malware to compromise computer systems. For example, administrator rights can be used to alter a standard desktop image, change security settings, or install unauthorized software. Most malware and spyware requires administrator rights in order to install.
By removing administrator rights from users and granting only the minimum privileges necessary for the performance of an authorized task, a company can limit the damage that can result from a security breach or malicious user.
Removing administrator rights from employees not only improves security, but also results in significant cost savings. In fact, a recent Gartner report, Organizations That Unlock PCs Unnecessarily Will Face High Costs, found that by removing administrator rights from users on a well managed desktop, organizations will reduce the total cost of ownership per desktop by more than $1200.
By removing these rights, won't this impede some of the user's work (such as their ability to delete files)? Don't you encourage some users to try to find workarounds?
If an enterprise removes administrator rights and has not properly planned a mechanism to allow users to continue to do the work they need to do, there will be complaints, and it will require the IT staff to spend a lot of time addressing the problems that arise.
There is good news; solutions currently exist, such as BeyondTrust Privilege Manager, that allow standard users to continue to run the applications, system tasks, and ActiveX controls they need for their jobs. This creates a secure environment without interrupting a user’s work.
Does removing administrator rights work best for a particular size of business? Isn't this strategy more difficult to implement because in a small business, employees wear many different hats and have varying responsibilities?
The strategy of removing administrator rights to improve security and reduce IT labor costs will work for large and small businesses alike. We do find, however, that organizations with more than 100 users benefit the most. These organizations tend to have a more centralized management system. In smaller businesses, especially those that are not in a managed network, individual users are often more responsible for the maintenance of their own systems.
What gets in the way of removing these rights? In other words, if this is such a beneficial strategy, why haven't more IT shops done it? Is it such a difficult task?
Users with administrator rights have long been considered the Achilles heel of desktop security. Everyone understands that these rights are exploited by malware and malicious users, and enterprises would be more secure if all users were standard users. However, there is still a need to allow users to run applications that require administrator rights. Users also still need to self-manage some system settings and install software and ActiveX controls. Until BeyondTrust Privilege Manager was introduced, the only way to answer these user needs was to provide them with full administrator rights.
How do administrator rights factor into compliance with industry regulations?
Compliance with regulatory mandates, such as the Federal Desktop Core Configuration (FDCC), SOX, HIPAA, and PCI, are increasing the drive for both desktop security and standardization. These mandates, as well as many IT audits, require the removal of administrator rights from end-users.
Administrator rights pose a significant security threat to organizations by exposing computers to malware and malicious users, and they prevent organizations from preserving a secure standard desktop configuration. As of February 2008, all federal agencies must now comply with standard Windows XP and Vista security configurations based on the FDCC mandate from the U.S. government. The mandate requires agencies to restrict administrator rights on all PCs in order to maintain the standard configurations, since it is impossible to control how users configure their computers when they have administrative privileges.
What does the procedure of removing these access privileges look like at a given enterprise? How does this differ from what it used to be like?
Companies can use Group Policy to remove administrator rights and ensure all users are configured as standard users.
However, prior to removing administrator rights from all users, an enterprise must identify the software employees need to install and run for their jobs that also require administrative privileges. A company needs to have a plan in place to address these user needs.
The second step for an enterprise is to create a pilot group composed of the first employees to no longer log in as administrators. This will allow the IT staff to better understand what users need to do with administrative privileges and ensure that user productivity will not be affected.
In the past, there were few tools available to help companies discover what activities require administrative privileges and there was no solution to allow a standard user to continue to perform these activities. As a result, when users had their administrator rights removed, they found they were unable to do aspects of their jobs and became less productive. Today, companies can use tools, such as my company’s BeyondTrust Privilege Manager, to discover the activities that require administrative privileges and to allow a standard user to continue to perform them for their job.
How does this assertion of turning off admin privileges hold up with different Windows operating systems versions? You have Windows 2000, some even still use Windows NT, Windows XP, and, in some cases, Vista.
In Windows NT, Microsoft introduced the possibility that users could be administrators or standard users. This is also true for every Windows OS since then. The basic issues are the same for all of these operating systems. When users log in with administrator rights, these rights can be leveraged by malware or malicious users to take complete control over the computer.
There have been some small changes regarding which system settings require administrator privileges from OS to OS, but the biggest issue of applications requiring administrator privileges to run and install remains the same.
BeyondTrust released a report a few months ago that stated that 92 percent of all critical Microsoft vulnerabilities (those reported in 2008) could be mitigated by removing administrator rights. What type of vulnerabilities did this include?
Our findings were based on all vulnerabilities documented in Microsoft’s Security Bulletins during 2008. For each vulnerability, Microsoft lists mitigating factors that could reduce the severity of an exploitation. We examined all vulnerabilities that listed configuring users to operate without administrator rights as a mitigating factor and were surprised to find it in the overwhelming majority of vulnerabilities.
What products or services does BeyondTrust offer when it comes to setting user rights?
BeyondTrust Privilege Manager enables organizations to remove administrator rights and still allow users to run all required Windows applications, processes and ActiveX controls. Until BeyondTrust Privilege Manager was introduced in 2005, the only way to allow users to run applications that require administrative privileges was to make each user a member of the administrators group, thus providing them with administrator rights. This forced companies to face a difficult "Catch-22" situation that required them to choose between productivity and security.
Privilege Manager solves this dilemma by allowing network administrators to attach permission levels to Windows applications and processes. This enables a Least Privilege environment in which end-users run all authorized applications, processes and ActiveX controls without administrator rights. Companies can create rules in Group Policy that give them the flexibility to define what a standard user should be able to do with administrative privileges, allowing them to discretely control which administrative privileges can be used by different groups of users.