Q&A: How BeyondTrust Addresses Windows Security
Earlier this month, BeyondTrust released a report on security threats to IT shops running Microsoft software. The report, "Reducing the Threat from Microsoft Vulnerabilities
" analyzed 80 security bulletins that Microsoft published in 2008, addressing 150 vulnerabilities.
The independent IT security software vendor arrived at a startling conclusion: switching off the administrative rights of non-core enterprise users would effectively mitigate 92 percent of "critical" Microsoft vulnerabilities. Moreover, doing so would eliminate 69 percent of last year's published vulnerabilities as a whole.
While there's nothing new about controlling user access in a Windows environment, how should IT pros implement such a plan? I chatted last week with BeyondTrust's CEO John Moyer to answer such questions. It should be noted that BeyondTrust sells its own solution, called Privilege Manager, that addresses this administrative rights issue.
Q: You say that 92 percent of last year's critical vulnerabilities in Windows programs and services could be mitigated by simply removing administrative rights from enterprise users who don't need them. Can you explain how you came up with that finding?
John Moyer: Our findings are based on all vulnerabilities documented in Microsoft's Security Bulletins during 2008. For each vulnerability, Microsoft lists mitigating factors that could reduce the severity of an exploitation. We examined all vulnerabilities that listed configuring users to operate without administrator rights as a mitigating factor and were surprised to find it in the vast majority of vulnerabilities.
What does the procedure of removing these access privileges look like at a given enterprise? What are the most common steps companies can take?
Prior to removing admin rights, an enterprise first needs to identify the activities employees need to do that require admin privileges. These activities could include running certain applications, self-managing certain system settings, installing software or ActiveX controls. A company needs to have a plan in place to address these user needs.
Second, a company should identify a pilot group who would be the first employees to no longer log in as administrators. This will allow the IT staff to ensure that they have put into place the correct measures to ensure that user productivity will not be affected. Finally, a company must communicate with all employees in the enterprise about the changes that are going to be made. Explaining to employees that the new changes are being put in place to improve security and reduce malware while not impacting productivity will mollify deployment concerns.
How does this assertion of turning off admin privileges hold up with different Windows operating systems versions?
In Windows NT, Microsoft introduced the possibility that users could be administrators or standard users. This is also true for every Windows OS since then. The basic issues are the same for all of these operating systems. When users log in with administrator rights, these rights can be leveraged by malware or malicious users to do more harm. With administrator rights, you have complete control over the computer. This is the same no matter what OS you are running. There have been some small changes regarding which system settings require administrator privileges from OS to OS, but the biggest issue of applications requiring administrator privileges to run and install remains the same.
When you eliminate admin rights, you can't simply tell an employee that they can no longer use an application that is critical for the job. If an enterprise has not properly planned a mechanism to allow users to continue to do the work they need to do, there will be complaints. The good news is that there are solutions to allow standard users to continue to run the applications, system tasks and ActiveX controls they need for their jobs.
Would you say such a strategy works better for large or small businesses? In small businesses, there isn't always a lot of flexibility in restricting privileges or separating duties or access.
The strategy of removing admin rights to improve security and reduce IT labor costs will work for both large and small businesses. We do find, however, that organizations with more than 250 users benefit the most. These organizations tend to have a more centralized management system. In smaller businesses, especially those that are not in a managed network, individual users are often more responsible for the maintenance of their own systems.
What do you say to an enterprise manager who says, 'You know, I already have satisfactory segregation of duties, between programmers, developers and the help desk. Plus my sensitive data is already behind a pretty good firewall and it's encrypted. Why do I need to cut off most of my users?'
First, we would point out that if an enterprise removes administrator rights and puts into place a solution to allow standard users to still do authorized activities that require administrator privileges, then no one will be cut off.
Second, ensuring that users are not logging in as an administrator is the cornerstone to a good defense-in-depth strategy. There will always be new or unpatched vulnerabilities and companies need to reduce their risk of exposure to any exploits. Additionally, removing admin rights will lower your IT labor cost as there will be less malware and employees will no longer be able to make unauthorized changes to a standard desktop image.
Is there a way you can have the best of both worlds and piecemeal this type of deployment or is it an all or nothing access control program that you advocate in terms of who should have what privilege?
Yes, there is a way to have the best of both worlds. Until [our] Privilege Manager was introduced in 2005, the only way to answer end-user needs to run applications that require administrator privileges was to make each user a member of the administrator's group and provide them with administrator rights. Companies faced a difficult catch-22 situation that required them to choose between productivity and security.
[BeyondTrust's] Privilege Manager solves this dilemma by allowing network administrators to attach permission levels to Windows applications and processes. This enables a least-privilege environment in which end users run all authorized applications, processes and ActiveX controls without administrator rights. Companies can create rules in group policy that give them the flexibility to define what a standard user should be able to do with administrative privileges, allowing them to discretely control when administrative privileges can be used by different groups of users.