Users can cause a lot of damage when given admin rights. It is time to stop the rot, says Paul Kenyon from Avecto
If someone were to ask for permission to systematically destroy the corporate IT infrastructure, and ultimately bring the business to its knees, the obvious response is ‘NO’. However, for some reason, employees are often given the power to do exactly that.
The unfortunate reality is that when businesses decide on their approach to admin rights, the decision is more often than not based on cost.
Lesser of Two Evils
Commonly, business leaders will have to choose between two options -deny users admin rights, and spend extra resources supporting them or allow users admin rights, reducing support costs in the short term, and face the consequences.
In a perfect world, every organisation would take the first option.
But we don’t live in a perfect world and the reality is that the second option appears, at first glance, more cost effective. So, when a user rings asking for permission to install a missing piece of software, the quickest (and usually cheapest) option is to grant them admin rights.
However, you may as well have given them a time bomb to hide in the network.
Most organisations have no way of auditing what a user with admin rights has done during this privileged period and, additionally, all too often the admin rights aren’t revoked immediately, leaving the desktop and entire IT infrastructure open to abuse.
The keys to the kingdom
So, just what are the risks if users have admin rights?
Here’s the top ten:
- They could inadvertently, or deliberately, install kernel rootkits. The kernel is the lowest level of the operating system and, therefore, has the highest level of access to the whole computer or server. A rootkit is a piece of code that runs in the kernel. Anti-virus and anti-spyware use it but it can also be invaded by other malicious code – wreaking havoc while remaining invisible and undetectable and therefore almost impossible to remove.
- Install keyloggers and other spyware. Primarily these are a violation of privacy, but they are also capable of stealing log in details and other credentials.
- Install malicious ActiveX controls. A lot of websites rely on ActiveX controls to provide rich interactive functionality, continually prompting users to install it. However, with the web browser ultimately a window to the online world of web services, applications and content, it is the easiest way into the users system and therefore into the business. Drive by downloads often use ActiveX controls, with the user oblivious to the file(s) being installed.
- Install illegal, unauthorised or unlicensed software. In addition to the risk of embedded malware, this also poses a commercial issue as it is impossible to know the origin of the software. Free ‘licensed’ software may come at a hidden price.
- Set code to autorun when logging on. Malware will use this, often backed up by rootkits, to make sure that it not only automatically starts, but also conceals its activities.
- Stop services (such as HIPS, Firewalls), and circumvent other IT controls. Users could inadvertently switch off security applications, such as anti-virus, the firewall or even intrusion detection software. If malware has, or does, slip through and infect the system, it can cancel these services to avoid its detection.
- Create and modify local user accounts. If a user has been exploited, the most common approach is to delete their account and create a new one. Malware is often designed to create itself a local admin account thereby remaining on the desktop.
- Access other users’ data. Standard users shouldn’t have the right to read anyone else’s data but, with an admin account, they’re free to sneak a peak at anything and everything.
- Replace critical OS files with Trojans. Again, malware will hide itself in the operating system disguising itself as a genuine application – a Microsoft component or application, so it can bypass traditional scanning techniques.
- Render their machine unusable. It is unlikely malware will do this as, rather than destroy; it’s designed to remain undetected so it can function indefinitely. However, an inept user could manage to delete, install or change a key application – perhaps not instantly but with enough changes, to cause the downfall of the machine.
While each point is damaging, you might find it’s a combination of these that your organisation has to face. So, what can you do about it?
Top tips for securing the desktop
Tip 1: Group Policy
A feature of Microsoft, you can use group policy to control what users can and cannot do on the system. By restricting certain actions, such as blocking access to the task manager, restricting access to certain folders, and disabling the downloading of executable files etc., many of the risks outlined previously can be minimised.
Tip 2: Don’t give users admin rights in the first place!
It’s a fact that approximately 90% of malware relies on some form of admin right through which it can access and infect the system. Instead, a least privilege approach will remove the risk of installing malicious software – intentionally or accidentally, as well as restricting users’ malicious or inept behaviour. This means ensuring, either manually or with software, that every process, user or program can access only the necessary information and resources.
Tip 3: Protect the perimeter
Create white and black lists that control which applications and devices can run in your environment. That said, even authorised storage devices can be risky as cases of USB memory devices, containing an autorun malware, infecting networks have shown. Make sure drivers include digital signatures.
Tip 4: Secure web browsers and email clients
As we said earlier, these are the window to the IT-world and your first line of defence, so forbid unauthorised browser applications.
Tip 5: Education
Although an obvious one, it’s astonishing how many employees are oblivious to the risks they expose their organisation to. IT policies not only need to be created, and regularly updated to encompass new risks, but also communicated to users. They should cover key user activities including which websites they should/shouldn’t visit; types of devices allowed; what they can or can’t do with data; and passwords.
Ten years ago organisations didn’t have a choice regarding admin rights. Today they do. If yours decides to allow them, prepare for the consequences.
Paul Kenyon is the COO of privilege management company, Avecto.