A Case for Removing Local Administrative Rights

Abstract:

Inappropriate user privilege levels are a significant cause of security breaches in many organizations. By granting users rights beyond what they need to do their job, users can introduce malware, cause data loss, perform actions contrary to organization policy and create or allow security breaches. The standard Windows assignment of administrative rights isn’t at all granular, so you either allow a user full rights or no rights at all. Either way this causes problems for network and security managers. One significant solution to this problem is to implement software that provides flexible, granular control over user privileges while also providing greater insight into the operations of the network.

Introduction

The single greatest security threat to any enterprise comes from the people who use the computers and other devices in that enterprise. It’s the users that display their passwords on sticky notes, the users who surf to Web pages containing malware, they run programs they download from the Internet, insert unknown USB thumb drives, and open e-mail attachments they shouldn’t. While training users to avoid doing things that create security problems may reduce problems, it’s hard to prevent problems as long as users have full administrative rights to the computers they use.

The problem with administrative rights for Windows users is exacerbated by the fact that Windows installed with full admin rights turned on by default. While it’s easy to create a non-administrative user when you first install Windows, or to create a non-admin user after the fact, doing so presents several problems. This is especially the case with Windows XP, which is still in very wide use in many enterprises. With Windows XP, it’s an all-or-nothing situation. Without admin rights, a user can’t even do something as basic as installing a new printer.

Worse, when a Windows XP user is on travel, managing wireless connections is problematic, making changes on the road (such as performing Windows Updates) without IT support is impossible. These limitations can impact productivity, and they can have their own consequences, such as having non-updated computers in an unprotected environment presenting an open invitation to malware.

Of course, there are solutions. Upgrading machines to Windows 7 provides a more flexible user environment with UAC (User Account Control) settings, and by allowing things like printer installation can be accomplished. But even there, changing a user from having admin rights to having only user level rights can impact morale as users discover that they can’t do things they once could.

The Impact on IT

A primary reason for the proliferation of users with full admin rights is that the IT staff doesn’t have any effective means of providing support for routine actions frequently carried out by users. These actions include minor tasks such as installing printers or connecting with network devices as well as tasks such as installing software. If a user doesn’t have admin rights, then the IT staff must have physical access to the machine to provide support for some routine functions.

Unfortunately, giving admin rights to users may free up the IT support staff for some tasks, but those same rights give users the ability to act when they shouldn’t. For example, the vast majority of malware, including most worms and Trojans, must be installed on a computer before they can function. Usually when this happens, the install dialog appears to be something innocent, and the user, not knowing better, allows the malware to install itself. This happens easily with the user is logged in with admin rights already, but it can also happen if the user knows the admin password for the computer in use.

The problem is that Microsoft Windows based computers, as they are usually delivered, violate the principle of “Least Privilege” which was first defined by the US Department of Defense in Directive Number 5200.28 in the mid-1970s, and updated in 1988 to take personal computers into account. While Least Privilege applies specifically to the information that the user needs to know to perform their job, the concept also applies to the action that a user is allowed to take to perform their job, but no more when it comes to operating their computer.

Rather than allow the administrator to configure a computer with exactly the rights that a user needs, Windows presents what is basically an all-or-nothing approach. The person operating the computer either has full administrative rights, or they have minimal user rights that restrict them from performing even some routine day-to-day functions. As mentioned previously, until Microsoft changed the user functions, users couldn’t even add a printer without administrator rights. The same is true with Active-X controls and a number of other functions.

In most organizations, the IT department is faced with a dilemma. They must either support users in performing functions that the users are capable of performing for themselves, and that involve no security risk, or they must give the users full administrative rights that let them do anything they wish on their computers, including installing software that may not be compatible with the existing security profile of the organization.

There is a middle ground of sorts, which is to set users up with restricted rights, but to disclose the administrative password to them. This at least provides a level of warning before users perform a task that is potentially a security risk because they must enter the admin password for the machine. However, this assumes that the user has sufficient training and knowledge to make a decision about the administrative action being requested, and that the administrative action is not clothed in a misleading interface (as is frequently the case with malware). It also assumes that the user is paying attention to what’s being presented on their screen, and that’s not always a safe assumption.

Strategies for Protecting the User Environment

The problems created by the non-granular user rights are subject to several work-arounds. The easiest to implement is to isolate the network from potential threats. You can, for example, use your firewall to block access to potentially risky Web sites, activities or Web-based applications. If you have a firewall with the necessary capabilities, you can also screen for malware or prohibited applications. While this will protect computers that are within your firewall as well as computers connected via VPNs, it will do nothing to protect computers in use outside the protected perimeter of your network, such as when your employees travel or when they use their laptop computers at home.

Unfortunately, users take their computers out of the protective perimeter of the enterprise, and in most companies, the firewall can’t block all potential problems. For example, you can’t set a firewall to block Port 80 if your employees need access to anything on the Internet that involves a Web page, which nearly everything on the internet does. But Port 80 is also the favored pathway for malware, either in conjunction with a Web page, or simply as an attempted penetration path simply because almost no one blocks it. The same is true for other commonly used ports that provide access to e-mail, FTP or other services that employees may be required to use. While a firewall with appropriately configured packet inspection can block malware that attempts to pass through it, not all malware will set off alarms either because the payload is downloaded in pieces and assembled later, or because the download may consist solely of an installer that is then launched with user permission, assuming the user has administrative rights, or can provide the admin password.

While simply locking down the employee computers, or blocking all executable files, including files with .MSI extensions would limit the problem of malware, it would also prevent necessary updates including browser updates for Firefox, driver updates for a wide variety of products including video cards and printers, Adobe and Java updates and updates for other software, especially where the update process includes either installing a fresh copy of the application or the driver, or where a fresh installer initiates the update.

Making matters worse, some locally written or custom applications require admin rights. While this practice violates a wide variety of security principles, it still persists, either because the application is not or cannot be updated, or because the process of writing an application that does not require admin rights is harder to accomplish, and thus costs more. While it is possible in some cases to run these applications in the Windows XP virtual environment in Windows 7, this doesn’t always work.

Beyond the All-or-Nothing Approach

Fortunately, there’s a way out of the dilemma posed by the Windows all-or-nothing approach to administrative rights. Privilege Management applications, such as those offered by Viewfinity, provide highly granular control over the actions that users can take on their computers. The primary focus on such applications is to control exactly when and under what circumstances a user may have the ability to perform a function that would ordinarily require administrative rights.

In addition, Privilege Management gives the network management team the ability to deny some applications to users, even when they might normally be allowed even under the most restrictive settings offered by Windows. You can, for example, prevent the use of game software even if the game software was delivered with Windows and doesn’t require administrative rights to use. But such software goes far beyond simply permitting or preventing the use of certain classes of applications. Network managers can prohibit or enable specific applications and toolbars on a case by case basis.

Flexibility is a key feature in such applications. For example, if a user has a requirement for access to an application of function that would normally not be allowed, the administrator has the ability to enable that function or application once or on a permanent basis. For example, the installation of an updated mouse driver for a user’s computer might normally require administrative rights, however, the network manager can decide to allow specific users (or all users for that matter) the ability to upgrade their mouse drivers on their own.

One important capability that needs to exist with Privilege Management applications is that the settings persist even when the computer is not connected to the network. This means that you can deny workers the ability to perform prohibited actions regardless of whether they’re on travel or in the office. Administrators also have the ability to elevate some rights when a computer is mobile, so changes to network setting could be allowed, for example, when a user has a portable computer on travel.

Perhaps one of the most useful capabilities of Privilege Management software comes from its reporting capabilities. Normally it’s nearly impossible for a network manager to determine which users have administrative rights without visiting each machine and checking. With PM software, you only need to request a list of every computer on the network and look at the status of each machine. The administrator can see at a glance what version of Windows is installed, what applications are installed on each machine, what the type of the machine is and whether or not administrative rights are enabled.

To be effective, Privilege Management software needs to be aware of the devices that inhabit the network, and of those devices, which are Windows computers for which Privilege Management is available, and which are other computers or devices that may be managed by other means. You can use Active Directory to report on Windows computers, for example and with Viewfinity Privilege Management the reporting on Windows machines is full and complete. However, there are additional discovery processes available that can give a different view of the and these can turn up non-computer network devices such as printers, routers and reporting systems such as those found in some types of power supplies or environmental management equipment.

Using Viewfinity’s Privilege Management

The Viewfinity Privilege Management offers three flexible delivery methods.  It can be implemented through its SaaS/Cloud platform or via a company’s on-premise servers as a private cloud, or as an extension to Group Policy, enabling policies to be managed through the standard Group Policy Management tools. The SaaS/cloud-based application has the advantage of updating automatically as the company develops improvements. All types of the Viewfinity application require that user computers have a Viewfinity Agent installed.

The Viewfinity agent works with Windows XP and newer versions of Windows, although Windows 7 will provide more granular management and greater security and stability. You can install the Agent remotely for computers on an existing network, although most implementations install the Viewfinity agent as part of the system image using Microsoft System Center Configuration Manager (SCCM) when machines are updated or added.

The easiest way to implement Viewfinity and to control administrative rights on an enterprise network, especially on a large network, is to implement the changes during an operating system refresh. For example, when an organization updates its environment from Windows XP to Windows 7, or when the organization performs a hardware refresh with machines that are delivered with Windows 7, then the deployment offers the opportunity to set appropriate administrative rights, and to install the Viewfinity agent. However you can implement Viewfinity on any network using Windows machines, regardless of whether it Active Directory is in place.

The cloud-based Viewfinity application, which was used in this example, requires only that the network manager have obtained a Viewfinity license and login information. Once there, the administrator is presented with a Privilege Management icon, as well as a link to a free local admin discovery tool. The local admin discovery tool can be used by anyone regardless of whether they’re a Viewfinity customer to determine whether they have computers with admin rights on their network that shouldn’t have such rights, and offers remediation capabilities to remove users or suspicious groups from the Administrators group.

To start using the Viewfinity Privilege Management software, click on the Privilege Management icon. This will take you to a summary screen which probably won’t show a lot unless you’ve pre-installed Viewfinity agents. If you have, then you’ll see the number and other details about the computers on your network, a summary of the policies you have set, and policy events, if any.

 

Overview/summary of computers and policies
(click to enlarge image) 

By clicking on the link to the My Computers page, you’ll get a list of all of the computers that have been discovered by the Viewfinity application. However to perform the discovery, you’ll click on the “Deploy Agents” tab and then on the “Deploy Agents” link. Click on the “Start a New Discovery” button, and fill in the required information, including what computer on your network will actually perform the scan. You can scan using an IP range, Windows browsing, Active Directory, or you can simply add computers manually.

The Computers tab includes a Dashboard display in which you can choose graphical representations of relevant data for your network. Once chosen, you can see anything from the hardware configuration on your computers to policy usage. You can also choose the number of graphical displays you want to see and how you want them arranged. The idea is to provide your network’s status at a glance, including its policy status.

Customizable dashboard of operations and status of company policies and assets
(click to enlarge image)  

Once the discovery is complete, you can choose to install agents on your Windows computers. You accomplish this by checking a box next to the computer IP address and then clicking the “Install” button on the lower right corner of the screen. Depending on the number of computers involved, the install process may take several minutes.

You also have the option of downloading the agent installation package for manual installation on a machine, or of e-mailing the installation software link. This same menu includes the link to upgrade Agent software.

Once you have the Viewfinity Agent installed, your Widows computers should show up on the My Computers page.

Clicking the name of each one will reveal the details of that computer similar to what you’d see if you ran the System Information utility that comes with Windows. Other features from the tabs on the left of the Viewfinity screen include the Control Center, a central point for monitoring and auditing your server and desktop system events and compliance policies and rules.  From here, you can simultaneously view the screens of each computer with a Viewfinity Agent installed. Through remote desktop preview panes, administrators may monitor groups of servers and desktops in real time and review system events and take actions on a selected host. One of the most important tasks you should do is check to see how many of the computers on your network have extra local administrators. When you open the Computers tab and click on the Reports link, you’ll get a complete list of all the reports that can be generated by the Viewfinity manager. Under “Users in Local Groups Reports” there’s a link to “Users in Local Administrators Group,” which will show you all of the computers with local administrators still enabled. On a network using Viewfinity for the first time, this could be nearly everyone. These are the accounts you need to change.

You can also control these computers remotely from the My Computers screen by highlighting a computer on the list and clicking on the Computer pull down menu. One of the choices under the Computer menu is Remote Terminal. This will allow you to perform actions on a computer when the user isn’t present, including initiating a reboot.

List of all computers with local administrators still enabled
(click to enlarge image)  

The heart of the Viewfinity application is in the Policies tab. Here you can see which applications are installed on your network computers and how many computers each is installed on. You can implement policies using the policy automation tab. The “Policy” pull down menu at the top of the screen lets you create policies. Note that the Policies tab also contains a link that will let you record a video of user actions on any machine that has the Viewfinity Agent installed. You can also use the Policy feature to block applications, so if a user has a peer to peer movie downloading package already installed, for example, you can prevent it from operating.

One of the most important functions of the Policies tab is the ability to determine what applications require the use of administrative rights.

Discovered list of applications requiring elevated permissions
(click to enlarge image)  

Normally such rights are required when you install new software or perform system level functions such as disk defragmentation. By telling Viewfinity to track what applications are requesting policy elevation, you can establish your policies accordingly, allowing standard users to accomplish tasks such as disk defragmentation without having administrator rights.

Viewfinity provides a variety of different rules which can be created to elevate permissions in order to install/run specific applications signed by a specific vendor, ActiveX, scripts, or administrative tasks.

By monitoring policy elevation requests you can also provide on-demand approval for special cases where it’s needed and you can find users who are trying to do things with their computers that they aren’t allowed to do. If necessary you can also monitor what the user does once the policy elevation is approved.

Rules that elevate administrative rights for processes or applications
(click to enlarge image)  

With Windows 7, users are presented with a message from the User Account Control system when they attempt to invoke a function that requires administrative rights. This message will ask the user to enter an administrative password before the application or other function can be used. Because Viewfinity is controlling the administrative rights, you can also control the UAC message. When you’re setting up a policy that may allow a user to perform a function that normally requires administrative rights, you can tailor the message to something a little more useful, and you can also require that they justify their use of the application of function. For applications that are commonly used, including custom applications that require administrative rights, those messages can be suppressed entirely.

End user customization manages UAC prompts and messages related to policies
(click to enlarge image)  

The Advanced tab lets you configure agents to meet a wide variety of specialized requirements, it supports video recording configuration and lets you create custom messages for end users, such as explanations of why the program they tried to run was blocked.

You can also use the extensive reporting system to provide on-screen visibility for virtually every metric that Viewfinity is capable of seeing. If you want a list of every type of CPU exists on your Windows machines, there’s a report for that. Likewise there are reports for users, rights, deployment status, and views of policies from virtually any direction.

Extensive reporting and auditing capabilities monitor policy statistics
(click to enlarge image)  

Conclusion

Overall the Viewfinity software presents a highly flexible interface that provides network managers with a way to configure user rights at a granular level. In addition, Viewfinity offers powerful reporting capabilities that go far beyond user rights, and can help managers keep up with the state of software licenses, Windows versions, user activities including efforts to launch software contrary to corporate policy. The Viewfinity software also allows flexible management of user actions, such as allowing temporary privilege elevations, or modifications of the standard Windows rights assignments. The result is a powerful, flexible addition to network management in addition to a powerful means of managing user security.