In many ways, IT is very similar to economics in that there is no perfect state. Low interest rates, for instance, helps borrowers but hurts savers and full employment incurs inflation. Like an economist, today’s IT managers face the continued challenge of finding that perfect middle ground between a guaranteed secure network environment and one that is conducive to user productivity and innovation. Such is the case when allotting admin rights to users.
This practice is a two-edged sword; what makes things easy for the user also simplifies the nefarious operations of malware as well. Because of the Consumerization of IT, users now expect admin privileges on company devices, but for internal IT, they are a nexus of vulnerability. Local admin rights is a constant struggle between friend and foe.
Local admins and other privileged accounts are what the SANS Institute refers to as the keys to the kingdom. They are the top target of hackers, malware creators and other nefarious outsiders who want to install ransomware, keystroke loggers, sniffers, and remote control software within your network.
The Center for Internet Security, in fact, cites that because privilege accounts are a primary method for attackers to spread inside a target enterprise, eliminating the misuse of administrative rights is a critical security control.
As early as 2005, Microsoft outlined the concept of least privilege in a Microsoft Windows Resource Kit, which stated:
"Always think of security in terms of granting the least amount of privileges required to carry out the task. If an application that has too many privileges should be compromised, the attacker might be able to expand the attack beyond what it would if the application had been under the least amount of privileges possible.”
The fact is that the people behind the keyboards are your weakest endpoints and the apathy in recognizing that fact is the biggest security threat of organizations today. Though a complete contradiction to the principle of least privilege (POLP), users are initially allotted admin rights to their devices for the sake of convenience. They then continue to practice it out of the illusion of management that their networks are not currently compromised because they have not detected an incident. Users do not make good decisions when it comes to cyber activities. Case in point, according to Verizon’s 2017 Verizon Data Breach Investigations Report, 1 in 14 users were tricked into clicking a link or opening an attachment. Of those, 25% were duped more than once.
The ransomware laced malware outbreaks of this past June were classic examples of the damage that can be inflicted within an organization through the infiltration of malware under the guise of local admin account.
- South Korean web-hosting firm, Nayana, ended up negotiating an agreed ransom of $1 million for the decryption keys to release their 153 web servers.
- Large enterprises such as Maersk, the world’s largest shipping container company and medical transcription service provider, Nuance Communications and big league corporations experience disruptions of one to two weeks, which impacted third quarter earnings and sent their stock prices falling.
The concept behind these crippling attacks is simple. When operating under the identity of an admin or privileged account, applications installed with that account take on those privileges. These threats make identity the new security perimeter. Stripping users of privilege access to their devices hinders their ability to download and install unauthorized software. It also prevents them from writing files to places that only administrators can which is a principle objective of malware.
It is imperative to find your weakest links (employees) before cybercriminals find them and breach your network and intellectual property. Every IT department needs to probe and test their users because the hackers are.
Learn More About the Employee Cybersecurity Mindset in this ITSP-TV Expert's Panel Discussion
The first step is to find out what local admin accounts already reside on all of your enterprise devices. For local group membership, just use the Get-LocalGroupMember cmdlet to return the group membership in a command prompt of any windows device. You can also query members of local administrators groups in all domain computers using a PowerShell script offered by Microsoft. You can then use Group Policy Preferences to enforce local administrator group membership. You can check out this video I created for just this demonstration.
Simply denying admin rights to users is not the be-all, end-all solution. Just as applications such as Google Chrome will install without admin rights, many malware variants do not require admin rights as well. In addition, the elimination of admin rights for standard users requires a great deal of planning and testing. Many companies have utilized AppLocker as a way to enforce blacklist or whitelist policies in a granular fashion. The policies can then be deployed through standard group policy, but unfortunately can only be applied to the Enterprise and Education editions of Windows. In the most recent Windows 10 Build, Microsoft released a new tool called “Controlled Folder Access.” Introduced as a component of the Windows Defender Security Center, CFA is designed to block unauthorized applications from creating new files or modifying existing files located in designated “protected” folders that are important.
Whether you consider local admin rights friend or foe, the risks associated with them is indeed real. Having a plan to manage them is a key part of cybersecurity today.
About Jeremy Moskowitz
Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem: they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.