Re: The value of 'least privilege'

[Eric Case <ecase () EMAIL ARIZONA EDU>]

Just FYI,



ScriptLogic has Privilege Authority
<http://www.scriptlogic.com/products/privilegeauthority/>  for free.  I have
not used it (yet).  I have used BeyondTrust's Privilege Manager and it works
ok.

-Eric





Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
Sent: Tuesday, March 30, 2010 5:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] The value of 'least privilege'



For those struggling to get broader adoption of 'least privilege' as a
security recommendation/requirement, there may be some stats in this new
report that would be useful.

Allison F. Dolan

Program Director, Protecting Personally Identifiable Information

Massachusetts Institute of Technology

77 Massachusetts Ave  NE49-3021

Cambridge MA 02139-4307

Phone: (617) 252-1461

http://mit.edu/infoprotect





Want PC Security? Remove Admin Rights

By
<http://www.esecurityplanet.com/feedback.php/http:/www.esecurityplanet.com/f
eatures/article.php/3873356> Stuart J. Johnston

March 29, 2010



A new survey of Microsoft security vulnerabilities shows that the vast
majority of them can be effectively mitigated while users wait for systems
managers to apply the software giant's monthly patches.

The third-party report, compiled by privileged access lifecycle management
vendor  <http://www.beyondtrust.com/> BeyondTrust, claims that the cure for
many ills that might befall users of PCs running Microsoft (NASDAQ: MSFT)
software is straightforward.

"Key findings from this report show that removing administrator rights will
better protect companies," said the study, dubbed
<http://www.beyondtrust.com/downloads/whitepapers/Microsoft_Vulnerability_An
alysis_2009.asp> BeyondTrust 2009 Microsoft Vulnerability Analysis.

Administrative rights include the authority for someone designated as the
system administrator to control what software and hardware can be installed
on a user's PC. Often, however, the default setting is to let the user have
administrative rights on his or her own PC but, as noted in the report, that
can be risky because, for instance, a piece of malware might trick the
system to prompt a user with such rights to okay its installation.

"By removing the need to grant administrative rights to end-users, IT
departments eliminate what is otherwise the Achilles' heel of the desktop --
end-users with administrative power that can be exploited by malware and
malicious intent to change security settings and disable other security
solutions," the report said.

Microsoft itself frequently recommends that administrative privileges be
disabled for most users.

"If a user is logged on with administrative user rights, an attacker could
take complete control of the affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights. Users whose accounts are configured to have fewer user rights
on the system could be less impacted than users who operate with
administrative user rights," a boiler plate statement reads in most
Microsoft Security Bulletins.

Suspending administrative rights for most users can help block -- or, in
some cases, mitigate -- many common methods of exploiting security
vulnerabilities.

For example, the report said, eliminating administrator privileges from
Windows 7 PCs -- thus blocking users from engaging in some risky activities,
such as installing applications brought in from home -- would block 90
percent, or nine out of ten, of the "critical" security flaws identified
since the system shipped last year.

Additionally, removing administrative rights from users' PCs would protect
against exploitation of all 55 of the vulnerabilities reported in Microsoft
Office during 2009.

Similar results can be obtained by disabling administrative rights in
Internet Explorer 8 -- although that is not true of earlier IE releases.

"100 percent of the Internet Explorer 8 vulnerabilities can be mitigated by
removing administrator rights," the report said.

For all versions of IE, of the 33 vulnerabilities that Microsoft identified
in 2009, 94 percent could be mitigated by shutting down administrative
rights.

Further, configuring users without administrative privileges would protect
against 81 percent of the 80 security vulnerabilities rated as "critical" --
the highest ranking in Microsoft's four-tiered severity scale, according to
the study.

While systems administrators can configure users' capabilities using a
variety of tools,
<http://www.internetnews.com/security/article.php/3745256> BeyondTrust --
perhaps not surprisingly -- sells its own tool called Privilege Manager,
which has been on the market since 2004.

In order to compile the report, BeyondTrust examined all of the
<http://www.microsoft.com/technet/security/bulletin/summary.mspx#ERC>
Security Bulletins issued by Microsoft in 2009 -- a total of 75 bulletins
accounting for nearly 200 bug fixes.



Stuart J. Johnston is a contributing writer at
<http://www.internetnews.com/> InternetNews.com, the news service of
<http://www.internet.com/> Internet.com, the network for technology
professionals.

http://www.esecurityplanet.com/features/article.php/3873356/article.htm