Re: Non-administrator advantages / disadvantages

[Steven Alexander <alexander.s () MCCD EDU>]

Randy,

Without administrator rights, the impact of malware is limited: they can't, for instance, install a device driver, 
retrieve cached domain passwords or sniff the network.  Some malware do have privilege escalation exploits packaged in, 
but these are generally not zero-day exploits.  The Cool and Blackhole exploit kits, for instance, attempt escalation 
using the TrueType font vulnerability that was found in Duqu about a year ago.

I don't think the important question is whether most infections come from drive-by downloads or from users installing 
unauthorized software.  Rather, we need to consider, in our environments, what the difference is between malware 
running with administrator privileges versus basic user privileges.

Regards,

Steven Alexander Jr.
Online Education Systems Manager
Merced College
alexander.s () mccd edu<mailto:alexander.s () mccd edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy
Sent: Sunday, December 02, 2012 5:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Non-administrator advantages / disadvantages

What are we trying to prevent by restricting user from having admin privs? If it's to keep people from downloading evil 
malware, I hate to tell you this but the primary method of malware delivery is by web drive-bys where a user simply 
visits a legit www site and the malware is loaded via an infected ad. User downloads are probably a small % of the 
infection. So here are some questions I believe need to be answered before one implements an arbitrary security 
solution.

0. IMHO, restricting user privs arbitrarily is a response to an old attack vector.  Similar to account lockouts, this 
was the ONLY defense about 5-10 years ago when there weren't additional controls. Make sure you're addressing the right 
problem.
1. do you have stats that show the types of infections and their vectors at your site? In other words, do your stats 
show that users with privs are the primary cause of infection? If so, then it makes sense to restrict user privs.
2. Use your stats to support your security decisions. If your stats show that web drivebys are your primary source of 
infection then restricting user privs won't make you any more secure.
3. How long does it take for a user to have software that they need for their job installed on their machine? 2-4 
hours? 2-4 days? 2-4 weeks? In the SANS classes I've taught, I ask this question and the answers I get back actually 
range from hours to weeks. I was shocked that it takes more than a day to have software installed on a work machine. 
I'm not talking about an aquarium screen saver. I'm talking about business software.
4. If you don't have a responsive software install process, your users will bypass your security by simply installing 
the software they need on their personal machine, copy the data to the machine and do their work. Now, your chances of 
data exposure increase and you have a worse problem than the one you were trying to solve.

So, I believe it's extremely important that you collect the appropriate security stats before making a security 
decision.

Just my .02.

-Randy Marchany
VA Tech IT Security Office


On Fri, Nov 30, 2012 at 4:45 PM, Shalla, Kevin <kshalla () uic edu<mailto:kshalla () uic edu>> wrote:
This is a disadvantage from the user's perspective.  They want to do what they want to do when they want to do it.  I 
have to provide support and demonstrate value added.  It's difficult to argue this: "I know you're the administrator of 
your own computer at home, and it works for you, and nothing gets in your way, but here at work, we have to slow you 
down because it's for your own good, and the good of the university."  We've been short of staffing, but still striving 
towards automating software updates, but so far the only thing we've mastered is through group policy, which isn't very 
reliable.  Further, Adobe and Java are frequently telling users to update, yet when they try, they are thwarted.  Thus, 
we have users questioning our value, and saying "Give me the keys, you guys are too slow".

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Morrow Long
Sent: Tuesday, November 27, 2012 2:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Non-administrator advantages / disadvantages

> Disadvantages
> User cannot install or update some software immediately - have to wait for desktop support.

This is a disadvantage :-?

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, 
Kevin
Sent: Tuesday, November 27, 2012 3:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Non-administrator advantages / disadvantages

I'm trying to highlight the advantages and disadvantages of prohibiting administrator access for users of Windows 
computers.  Can you provide feedback on what I have below?  By the way, what's an example of software that is generally 
prohibited?  Is BitTorrent an example?  Is it common?

Advantages
Most malware stays on one user profile, so other users on same machine are unaffected.  Deleting the profile can remove 
the malware. Prohibited (by policy) software doesn't get installed.  Combinations of software known to be problematic 
are not installed (like multiple active versions of antivirus).

Disadvantages
User cannot install or update some software immediately - have to wait for desktop support.

Kevin Shalla



This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.