Paul Kenyon, Chief Operating Officer at Avecto, throws open Windows to reveal the operating system’s dirty little admin secret
Microsoft Windows is loved, not just by consumers, but by businesses too. The vast number of organisations that are either actively, or planning to, roll out Windows 7 is testament to this. The fact is it costs money when an organisation upgrades – both in time, compatibility testing, initial loss of productivity and re-training. If Windows wasn’t so good companies would hardly bother.
However, there is a real danger that these ‘windows’ into the workplace create and, unfortunately, far too many aren’t being sealed shut.
This is the one big area where I have a problem with Microsoft. It has a very loyal customer base, especially in the corporate community, yet it leaves them exposed to security threats.
There will be some who argue that Microsoft takes security very seriously – Microsoft itself for one. Indeed, the recent enhancements that have been touted in the developer edition of Windows 8 substantiate that it continues to make improvements in its security.
However, from what we have seen, Microsoft’s approach to dealing with least privilege is far from adequate.
Instead of sealing this major vulnerability for organisations, it actually gives admin rights to every single user with UAC (User Account Control). For those not familiar with UAC, here is how it works:
When a user tries to do something that requires elevated rights, UAC prompts them to confirm that they want to perform the task and asks for a password. The user’s own password will not work if he does not have admin rights - which often results in helpdesk calls, at a cost to the business for both the IT team to field the calls and the users in lost productivity.
If a user knows an administrator password then they could use it to ‘approve’ future tasks – whatever they may be. This also introduces issues in terms of compliance as well as security.
In an effort to limit these prompts, and therefore help desk calls, Microsoft introduced a sliding scale to Windows 7 (and for those interested this remains unchanged in Windows 8). This slider means organisations can allow certain activities to take place without being prompted.
However, following its introduction, everyone soon became aware that there was a vulnerability introduced with how UAC works when it is set at its lowest setting.
That said, UAC is a great idea for home users, and for ‘true’ administrators. The problem is that in most organisations you don’t want to give admin accounts to end users as this gives them full control of the endpoints – which can cause major problems.
Users with rights
Allowing users to control the end point not only exposes the business to internal exploits, but also the users to external attacks. There are lots of articles that examine this topic in finite detail, so I will just give a top level brief on the vulnerabilities users with admin rights can introduce to the enterprise:
Kernel-mode rootkits – they are very dangerous and you don’t want them on your build
Key loggers – the sheer idea that every keystroke can be communicated to others outside the organisation is terrifying
Install Active X controls - whether you want them or not
Introduce spyware, adware and any other types of malware
Stop and start services that either freeze the machine or cause a problem on the network – for example switching off the antivirus software or the firewall
Users can either take themselves out of the domain, or create a new user account. As a result, IT lose visibility and control; domain settings and security updates no longer apply, all of which results in the desktop – and ultimately the whole organisation – being left open to attack. Rogue or unlicensed software can be introduced
If you bestow admin rights on end users you are compromising every other security mechanism in place. Also, if the end user then chooses to turn UAC off, they will not see the prompts and are not made aware of what is happening – so the devastation can go on in the background undetected.
From a personal, and professional, standpoint I love Microsoft. It rocks up late to the party, doesn’t bring a bottle yet is still friends with everyone and manages to lift everyone’s spirits simply with its presence. But it’s not all perfect.
For some reason businesses either fail to recognise, or are prepared to forgive, its major fault that leaves them vulnerable from abused admin rights. Whichever version of Windows you’re running you can’t just turn a blind eye or your windows could let in more than you bargained for.
Make it secure - Here are five simple tips to secure the environment:
1. Remove admin rights. To give users control of their desktop, in a corporate environment, is bad news. They’ll introduce or change things that can cause serious security issues – which could cost money and time. Instead, use a privilege management product to assign privileges to the applications, tasks or scripts, making the desktop more secure and the user more manageable.
2. Move towards a least risk Windows desktop. To do that you need to white list your applications, ensuring that only the applications that you want to run in your environment can run. The idea that you’re not in control of your applications in one way or another is foolhardy.
3. UAC is an annoyance for most people – if you give users admin rights, the first thing they will do is turn it off, removing a vital layer of control. A better situation is to replace UAC altogether with customised messaging allowing IT to communicate an appropriate message to the user based on their activity. This can reduce costly support and improve the user experience.
4. Make sure that you have antivirus/anti-spyware/web security on the desktop and that it is up to date.
5. Finally all machines should be part of the domain. If they are not part of your Active Directory you will always have difficulty keeping your endpoints secure. This is especially important for ensuring that policy settings get out to your machines and that they’re always up to date.
For more information, visit www.avecto.com.