Windows desktop admin rights – an open door for malware?

05 Apr 2012

Quocirca has written extensively about privileged user management over the years, including two research reports, Conquering the sys-admin challenge in 2011 and Privileged user management – it’s time to take control in 2009. One of the dangers highlighted in both reports is that if privileged user accounts are compromised the results can be far more serious than when the same happens with the accounts of “normal” unprivileged users. Several vendors specialise in the management of privilege and sys-admin rights including CA, Cyber-Ark, Centrify, Lieberman Software, Quest Software, Thycotic and UK-based Osirium, which sponsored Quocirca’s most recent report.

It is odd then that many businesses leave “normal” users with full admin rights in one area; their Windows desktops. IT departments are prone to do this because it makes life easy as it means they are do not get constant user account control (UAC) requests to their helpdesks (to install Active-X components etc.) However, Windows desktops with full admin rights are a gift to malware writers. Once compromised it is far easier to recruit such PCs to botnets, install key-loggers or use them as a springboard to deeper penetration of an organisation’s infrastructure. The default position should be than no desktops runs with full admin rights and that such rights should only be granted for limited periods of time and to enable certain tasks.

This has led to the emergence of a second group of privilege management vendors whose main focus is to get the problem of Windows desktop admin under control. They enable automated granting of admin rights based on predefined policies, which can apply to applications as well as users. This helps minimising the number of UAC requests as when a user needs to install or update a commonly use application their privilege level can be temporarily elevated. Most of the vendors above do not address these specific issues and are therefore partnering in this area. Quocirca has been speaking to two of these vendors recently.

First is Avecto, a UK-based vendor that is doing half its business in North America. Its product is called Privilege Guard and it has a partnership with Cyber-Ark. Its focus to date has largely been selling direct to large enterprises where it links in with Active Directory and its Group Policy engine. However, it can also now link in with McAfee’s ePolicy Orchestrator (ePO), creating a partnership which Avecto sees as key to building a multi-tenancy on-demand version of Privilege Guard that will open up the SMB market, where practices regarding management of Windows privilege tend to be at their worst.

Second is Viewfinity, an Israeli vendor, which has just opened its first European office in Amsterdam.  It already does 60% of its business via an on-demand platform; the other 40% being on-premise installs at large enterprises. It has partnerships with Lieberman Software, CA and is integrated with Microsoft Systems Centre Configuration Manager (SCCM) and, of course, Active Directory. Viewfinity has just released V4 of its product. It also has a free “Local Admin Discovery” tool, which allows you to find out for free just how widespread the allocation of admin rights is across your Windows desktop estate. The approach is a bit like those free malware detection tools that tell you of all the gremlins that are present on your PC but will not let you delete them until you cough up a fee (although Viewfinity should actually work!)

Regardless of the vendor selected (a third player is BeyondTrust), that may well be a price worth paying. At this level most malware is opportunist; it will seek out the most vulnerable and easiest to exploit PCs. Once malware has found its way on to a PC, finding full admin rights is a gift; an open invite to take full advantage of opportunities for data theft or deeper penetration into the infrastructure of the organisation that owns the device and thought it could trust it on its network.

As Quocirca research over the years has shown, there is much poor practice in businesses of all sizes when it comes to the management and privilege and sys-admin rights. Just as was stated in 2009 with regard the management of core it infrastructure, when it comes to user desktops, it is time to take control.
 
Bob Tarzey, Analyst and Director, Quocirca

blog comments powered by Disqus