So there is this report the analysts around here like to reference when we are conducting assessments with clients. It’s the Microsoft Vulnerabilities Report from Avecto. One of the biggest takeaways from this report is that administrative rights are dangerous to the health and well-being of your network. In fact, according to their analysis of “Patch Tuesday” Security Bulletins, “97% of Critical Microsoft vulnerabilities would be mitigated by removing admin rights across an enterprise”.
And even beyond Microsoft concerns, misuse of administrative privileges is such an important issue that the CIS (Center for Internet Security) in their latest release of the Critical Security Controls moved it from 12th to 5th in order to make it a higher priority for organizations to address.
And why? The misuse of administrative privileges is a key way attackers are gaining access to our networks.
Now, if you could all but ensure you are protecting your network from clear and present danger, doesn’t it seem like a no-brainer to do so? Yet time and again, across industries and business sizes, we continue to hear how specific user types, whole departments, or even *gasp* ALL employees have local administrative privileges to their workstations (or more). And we hear all sorts of seemingly logical reasoning as to why. Today I’m going to shoot down those reasons.
Reason 1: My mobile users need admin rights so they can connect to wi-fi (or printers) when working remotely.
From a technology standpoint, it is true that once, years ago, it was next to impossible to give your sales team the ability to connect to any random hotel or client wi-fi hot spot when on the road unless they had local administrator rights. But today it is very easy to give non-admin users explicit rights to specific administrative tasks (like choosing a wi-fi connection or a printer) without giving them full administrative privileges. In fact, in Microsoft Windows 7 and newer, you have the ability to choose from preconfigured groups or create a Group Policy setting that addresses the needs of your mobile users.
And if you have requirements, like HIPAA, that you must comply with, you probably want to reconsider giving users to ability to print potentially sensitive information at home or somewhere that you don’t have control over anyway.
Reason 2: My <insert department here> needs admin rights so they can run <insert legacy software>.
Even with legacy software applications, it’s rare that the software actually needs administrator rights, but more likely it’s the “easier” implementation route. The majority of applications that fail to run as standard user fail because they are writing to an area of the registry or hard disk that admins normally have access to and other users do not. Try using Process Monitor to find out what the applications are doing and then allocate rights to those areas to the specific users who run the software using Group Policies.
And, talk to the software company. They have a responsibility to put out software that addresses security as part of its functionality.
Reason 3: My users have always had admin rights and taking it away would cause more trouble than it’s worth.
Giving users administrative privileges is not a statement on whether you trust them or not. And it’s not about users knowing (or not knowing) what they are doing. It’s about limiting their (and your organization’s) exposure to risk, plain and simple.
The question to ask here is really “Why do users think they need these privileges?”
If it’s about needing the ability to perform specific tasks, then #1 should address it. If it’s about issues running software, then #2 has you covered. If it’s about needing the ability to download software for personal use or “not bothering IT” to download software for work reasons, then you need to re-think what you are allowing users to do.
The heart of any solid Information Security Program is knowing what your assets are so you can best protect them. If you give users the ability to download software, you’ve lost key insight into one of your most important (and potentially most risky) assets. Not only do users run the risk of downloading malicious code with whatever application they are installing, but you lose visibility over what is running on your network. If you don’t know what’s running, you can’t patch it, which means your entire network is now more vulnerable.
It’s worth noting that software inventory ranks higher than administrative privileges on the Critical Security Controls list because it’s that important to know and manage what’s running on your network.
Reason 4: My executive team needs it because they own the company, run the company, etc.
This may not be as big an issue in larger organizations, but we see it quite frequently in SMBs. I’m going to try to address this as delicately as possible…
Your executive team does not need administrative access. (Unless, of course, they are actually administering the network.)
This goes back to #3 – the type of access granted is not a direct correlation to how much the user is trusted or how smart they are. Attackers today are targeting IT and executives. They go after IT because these are, by the definition of their jobs, the users with all the access. And they go after executives because, while they are typically some of the smartest people in the room, they are often granted access beyond their job needs and aren’t as skilled in how to recognize or prevent an attack.
But, I realize for some this is an argument not easily won. And for those, I suggest you consider #5 for your executives…
Reason 5: My IT team needs it to do their day-to-day job.
Now that we’ve whittled down the number of users with administrative access to those who legitimately have a business need for it, we need to lock it down. Any user who has an admin account should also have a standard user account. And they should use the standard user account for much of their day-to-day activities and only use the administrator account when required. Administrative accounts should be locked down to only the tasks required (i.e. if you are an email administrator then you likely don’t need administrative access to other systems other than the email server) and all external network access should be removed (i.e. email and internet access).
By separating out the accounts and controlling what access each account has, you are requiring administrators to make an explicit decision to take an action using administrative privileges.
Monitor, Train and Continually Evaluate Your Risk
Administrative credentials are key targets of attackers looking to infiltrate and exploit a network. For the administrative accounts that remain after you take stock, make sure you are monitoring the activity related to them. Strong, centralized logging, monitoring and auditing of these credentials can provide early warning that nefarious activity is taking place.
Continue to communicate with and educate your users. When you implement a significant change like removing admin rights, make sure you are explaining the reasoning behind the change. It’s important that they understand a change in privileges is about protecting them (they can’t defend themselves against attacks they aren’t even aware of!). Your users are much more likely to support initiatives like this when they understand the reasoning behind it.
And continually educate your security team. Make sure they are staying current on threats, technology, and industry best practices. . The threats are constantly evolving and good technology is also evolving. If you aren’t doing so yet, conduct a risk assessment to see where you are most vulnerable. For those risks that can’t effectively be mitigated today, make time to re-evaluate them periodically for updates and advancements – like administrative access.
I encourage you to download the latest Critical Security Controls and take stock of your organization’s security posture against these top 20 controls.