Few people would argue that implementing least privilege provides considerable security benefits, as removing admin rights eliminates the accidental or deliberate misuse of these privileges. It is also well documented that running under least privilege dramatically decreases the risks posed by malware, as many exploits rely on the user having admin rights for the payload to have the most devastating effect.
In addition to the security benefits of least privilege there are also many operational benefits, as the cost of supporting the corporate desktop is dramatically reduced when the desktop is in a locked and well managed state. However, the principle of least privilege does bring its own set of operational challenges, which is why many organizations have struggled to embrace it.
Here are 5 of the most common operational challenges preventing organizations from moving to least privilege.
1. Legacy Applications
Many applications will not run under a standard user account. Although I refer to them as legacy applications, it will be no surprise that there are many newer applications that are simply badly written and require admin rights to run or function correctly. Most organizations have hundreds or thousands of applications, so it is common place to have a large number of problem applications that will fail to function correctly under a standard user account.
2. Basic Administration Tasks
Many users perform basic system administration tasks for themselves, such as connecting printers, adding plug and play hardware and defragmenting disks. This is especially true of laptop users, although it affects many desktops users too. Every organization will also have a group of advanced users, who need to perform more advanced system administration, such as managing disks and network adapters.
3. Software Installation and Upgrade
Although most organizations will have a centralized system for deploying software packages and updates, it is not unusual for this to be supplemented with some ad hoc software installation. As most software requires admin rights to install, this can be difficult to accomplish on a locked down desktop, where admin rights have been removed.
4. ActiveX Installation and Upgrade
One of the most challenging issues of moving to least privilege is the inability of a user to install ActiveX controls. Although there are obvious security benefits in preventing users from installing ActiveX controls, the inability of a user to install or upgrade authorized ActiveX controls for themselves is a major headache, as alternative deployment strategies are costly and time consuming.
5. Advanced Tools
We are left with one area, which I will categorize as advanced tools. These are applications that don’t fall under the legacy applications category, as they are applications that genuinely require admin rights to function correctly. We are usually referring to more technical users, such as software developers, who need to run debugging tools and other privileged applications.
Windows Least Privilege
The challenges I have outlined above are difficult to overcome using standard Windows policies and tools, as there is no mechanism to assign privileges directly to applications. In Windows, a user is given either a standard user account or an admin account, which is the reason Avecto introduced the Privilege Guard (Edit: now Defendpoint) solution. Privilege Guard makes it possible to overcome these operational challenges, as admin rights (or more granular privileges and rights) may be assigned directly to the applications that require them, with the user logging on with a standard user account.
In addition to supporting executables, Privilege Guard can assign rights to control panel applets, management console snap-ins, software installation packages and patches, batch files, windows scripts, PowerShell scripts and registry settings. It also integrates with Internet Explorer and allows authorized ActiveX controls to be installed under a standard user account. No other solution provides such broad application support, so implementing least privilege is a realistic goal for every organization.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.