John E Dunn
July 19th, 2013

When privileges start to ‘creep’…

Bad privilege management is as dangerous as none

Utilizing tools native to the operating system to convert Windows networks to an environment in which administrator-level privileges are the justified exception rather than the rule is often mistakenly seen as a discrete destination when it is really part of a long, ongoing, complicated journey.

It’s an easy mistake to make. Many organizations find themselves simultaneously running up to three significant generations of Windows; XP, Windows 7 and Windows 8, plus one or two way points in between such as Vista and Service Packs. Each one of these comes with slightly different ways to manage standard and administrator accounts. These include the evolving controls in User Account Control (UAC) and related technologies such as XP’s prototype whitelisting Software Restriction Policies (SRP) and 7′s AppLocker.

The confusion organizations feel about privilege management and the principles of least privilege can become bound up with their eagerness to migrate from one version to another, and occasionally their reluctance to do so.  Are the controls on offer from Windows sufficient on their own and will standard user accounts be manageable across different versions at the same time?

This is the ‘temptation of UAC’; the blind assumption that the adoption of operating system-level privilege restriction is the magic seed from which to germinate watertight user and application security when it should be seen as more of a conceptual building block.

UAC’s limitations are legion, particularly the difficulty of making it work with the large body of legacy applications that still require administrator privileges to work. This can flood the IT department with support calls from disgruntled users, forcing staff to adopt a policy of exceptions that twist and eventually warp security policies. Over time, these exceptions build up, causing a ‘privilege creep’, a sort of slow aging of the security state to a situation where, once again, too many users have undocumented privileges.

The organizational risk of wishful privilege management is that the ‘creep’ isn’t noticed and a check box mentality takes over. In this scenario, management assumes that privileges have been contained, not realizing that this policy is being eroded from within. From the outside it looks rosy. Most users are running as standard most of the time, except when they aren’t and the administrators have lost small but potentially critical amounts of control and oversight.

A process that started with a desire to control and rationalize administrator-level privileges by defaulting users to standard mode ends in slow-motion chaos.

Some might complain that only the most incompetent organization will fall off the rails that easily. Applications can be re-purposed to run in standard mode and in other cases they can be replaced altogether. This is undoubtedly true in some cases but the pervasiveness of XP nearly seven years after its successor was launched suggests a more complex picture in which organizations persist with the older OS for reasons that surely include application and security compatibility.

The death of XP

As the demise of Windows XP support in April 2014 underlines, the issue of privilege design is reaching a crunch point; whether they like it or not, organizations face an urgent review of their approach to privileges as they migrate to Windows 7 and 8.

We started this piece by comparing privilege control to a journey. If that analogy holds true the ultimate destination is to make an organization more secure, and demonstrably so for reasons of compliance. The first element – security – is unpleasantly abstract, the second – compliance – complex.   Arriving at these stations isn’t easy when utilizing tools native to Windows but there is another way.

Least privilege systems such as Avecto’s Defendpoint bridge the impasse by integrating the two worlds of access control with policy management in a single layer that can not only help control privileges but model how they are being used and by whom on any network. This gives IT teams a way of planning their migration to standard user operation as well as offering complete oversight into the exceptions as they are added. It’s a world of comprehensive reporting that can transform the control of admin privileges into something that generates knowledge instead of uncertainty and make-believe.

More from the Blog

Related technology and security insights