User Account Control was a great idea but it has taken privilege management to fulfill its potential
How did computer security get into such a troubled and confused state? It’s a question security professionals must ask themselves on a daily basis as they face demands that threaten to explode budgets while offering no guarantee that any of the expensively-assembled defenses will actually work.
The roots of the malaise goes back to the early years of the millennium when enterprises and consumers using Windows 2000 and Windows XP were suddenly ambushed by waves of clever software attacks that warned the world that criminals had floored an evolutionary accelerator pedal. By the time XP and Windows received its first major security upgrade in the form of Service Pack 2 in 2004, it was becoming clear that security had entered an unsettling era that might take decades to play out.
In the new world, software flaws would need incessant patching, signature-based antivirus would slowly lose its effectiveness against an array of innovative malware types, and every scrap of data would be at risk. The security industry offered lots of security products but each solved only one part of the problem, while the accumulation of dedicated systems created a new and bigger problem of expensive, unmanageable complexity.
The nastiest discovery of all was that an organization’s biggest vulnerability was the one thing it couldn’t do without, namely its employees and partners. Even where security could block a type of attack on a technical level, stopping social engineering, carelessness or outright malevolence from within looked like an impossible task.
The painful lesson of hindsight is that a much simpler reform – changing the way system privileges are handed to users and applications – could have headed off a good proportion of these threats in one fell swoop. By the time it released XP SP2, Microsoft had realized that the model of handing out unrestricted administrator privileges was being exploited by malware to gain control over targets and it started work on what by the launch of Vista in 2007 turned into User Account Control (UAC).
In theory by running users with standard user accounts wherever possible, UAC improved security but too often it did so at the expense of manageability and ease of use. As the experience of using a PC deteriorated, malware writers started using social engineering to get round UAC prompts. Despite useful tweaks in Windows 7, the weakness of UAC has remained. To act as a meaningful barrier, it must be centrally managed but this can quickly turn into an uncomfortably manual process; all that a basic UAC system does is pass the responsibility for elevating an application’s demands from the end user to an admin who is even more remote from what is happening on the PC.
The principle of restricting privileges using UAC was a powerful one but like a rough diamond; it needed more polishing if it was to act as a control on the risky and dangerous elevation of privileges and not as an impractical block on employee productivity. A further limitation was that it assumed that the PC was sitting on a desk inside the network perimeter within reach of a support desk when increasingly it was being used remotely.
PCs become endpoints
As far as enterprises were concerned, UAC fitted into a larger technological change, the coming of the ‘endpoint’. Endpoints are principally Windows PCs, but they can also now be smartphones, tablets, and embedded devices, each one coming with its own set of weaknesses. Enterprises looked for systems that could coordinate the defense of these diverse platforms using traditional anti-malware, endpoint device controls, data security and encryption, and patch management. Eventually, high-level management systems such as McAfee’s industry-leading open platform, ePolicy Orchestrator (ePO) emerged to tie together the different endpoint layers into a single, policy-driven whole.
Each defense served its security purpose but the innovation of Windows’ UAC and privilege restriction would have been left in a parallel silo had it not been for a crucial development, that of privilege security systems such as Avecto’s Defendpoint. This layer has helped make running users in standard mode a mainstream and attainable state rather than the time-consuming inconvenience it was in danger of becoming.
Least privilege software doesn’t block attacks so much as cut the vulnerable surface to the absolute minimum, preventing malware and the malevolent from finding a path to their targets. Running users and applications in standard mode immediately puts attackers on the back foot.
In 2013, Avecto cemented the place of privilege management in the world of endpoint control by releasing a version of Defendpoint that can report into and be managed through ePO, offering a way for McAfee customers to access least privilege technology without changing their console.
Adding UAC to Windows provided a blunt mechanism for controlling privileges on PCs but it has taken until the emergence of full-blown privilege management systems to overcome its deepest flaws. The irony is that the mechanism – restricting users to standard rather than admin mode wherever possible – has been there for years but has never been accessible without major compromises. It is possible to say that through sophisticated privilege management, the promise of UAC is at last being fulfilled.