Educause Security Discussion mailing list archives
The value of 'least privilege'
From: Allison Dolan <adolan () MIT EDU>
Date: Tue, 30 Mar 2010 08:58:42 -0400
For those struggling to get broader adoption of 'least privilege' as a security recommendation/requirement, there may be some stats in this new report that would be useful. Allison F. Dolan Program Director, Protecting Personally Identifiable Information Massachusetts Institute of Technology 77 Massachusetts Ave NE49-3021 Cambridge MA 02139-4307 Phone: (617) 252-1461 http://mit.edu/infoprotect Want PC Security? Remove Admin Rights By Stuart J. Johnston March 29, 2010 A new survey of Microsoft security vulnerabilities shows that the vast majority of them can be effectively mitigated while users wait for systems managers to apply the software giant's monthly patches. The third-party report, compiled by privileged access lifecycle management vendor BeyondTrust, claims that the cure for many ills that might befall users of PCs running Microsoft (NASDAQ: MSFT) software is straightforward. "Key findings from this report show that removing administrator rights will better protect companies," said the study, dubbed BeyondTrust 2009 Microsoft Vulnerability Analysis. Administrative rights include the authority for someone designated as the system administrator to control what software and hardware can be installed on a user's PC. Often, however, the default setting is to let the user have administrative rights on his or her own PC but, as noted in the report, that can be risky because, for instance, a piece of malware might trick the system to prompt a user with such rights to okay its installation. "By removing the need to grant administrative rights to end-users, IT departments eliminate what is otherwise the Achilles' heel of the desktop -- end-users with administrative power that can be exploited by malware and malicious intent to change security settings and disable other security solutions," the report said. Microsoft itself frequently recommends that administrative privileges be disabled for most users. "If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," a boiler plate statement reads in most Microsoft Security Bulletins. Suspending administrative rights for most users can help block -- or, in some cases, mitigate -- many common methods of exploiting security vulnerabilities. For example, the report said, eliminating administrator privileges from Windows 7 PCs -- thus blocking users from engaging in some risky activities, such as installing applications brought in from home -- would block 90 percent, or nine out of ten, of the "critical" security flaws identified since the system shipped last year. Additionally, removing administrative rights from users' PCs would protect against exploitation of all 55 of the vulnerabilities reported in Microsoft Office during 2009. Similar results can be obtained by disabling administrative rights in Internet Explorer 8 -- although that is not true of earlier IE releases. "100 percent of the Internet Explorer 8 vulnerabilities can be mitigated by removing administrator rights," the report said. For all versions of IE, of the 33 vulnerabilities that Microsoft identified in 2009, 94 percent could be mitigated by shutting down administrative rights. Further, configuring users without administrative privileges would protect against 81 percent of the 80 security vulnerabilities rated as "critical" -- the highest ranking in Microsoft's four-tiered severity scale, according to the study. While systems administrators can configure users' capabilities using a variety of tools, BeyondTrust -- perhaps not surprisingly -- sells its own tool called Privilege Manager, which has been on the market since 2004. In order to compile the report, BeyondTrust examined all of the Security Bulletins issued by Microsoft in 2009 -- a total of 75 bulletins accounting for nearly 200 bug fixes. Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. http://www.esecurityplanet.com/features/article.php/3873356/article.htm
Current thread:
- Re: The value of 'least privilege' Dexter Caldwell (Mar 30)
- <Possible follow-ups>
- The value of 'least privilege' Allison Dolan (Mar 30)
- Re: The value of 'least privilege' Mike Hanson (Mar 30)
- Re: The value of 'least privilege' randy marchany (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Basgen, Brian (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Sarazen, Daniel (Mar 30)
- Re: The value of 'least privilege' Jeffrey I. Schiller (Mar 30)
- Re: The value of 'least privilege' Matthew Wollenweber (Mar 30)
- Re: The value of 'least privilege' Howe, Joe (Mar 30)
- Re: The value of 'least privilege' Steve Werby (Mar 30)
(Thread continues...)