aidarrow-end-inversearrow-endarrow-left-angulararrow-left-angularWhy choose AvectoAchieve complianceOperational efficiencycompliancedefendpoint-coloureddefendpoint-thin-2DesktopScaleResources.iconsAsset 21insider-threatsavecto-logo-smallquotation-marksransomwareArticleUse caseWebinarResources.iconssafePrevent attacksAsset 19social-engineeringTrustedtriangleStop insider attacksAsset 20Resources.iconsResources.iconszero-days

Blog

The top 10 secrets of admin users

James.Maude

 Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent, as they allow the user to effectively install or change any software or settings on their machine.

Understanding how and why it is imperative to limit the number of user accounts with administrative privileges is therefore essential for all organizations, especially in today's world of increased cyber risk that threatens us all.

What's so important about admin privileges?

Administrative rights are essential to the proper function of any IT infrastructure, as they enable trusted users to install software, to add new accounts and to generally change and amend the way that systems operate.

That said, they also present a risk to the security of your data, as an attacker who infiltrates a business and has access to these rights could do significant harm. Operating with a limited number of admin users is necessary for any business, but we now know that many companies are taking this a step too far.

Our own research has shown that more than half (51 percent) of IT professionals admit to providing local admin rights to users, with a staggering 25 percent of respondents not knowing which employees within their business have admin rights at present.

In response, chief operating officer at Avecto Andrew Avanessian argues: "These findings show that many companies are still not putting appropriate measures in place to counter the threat of admin rights.

"This is such a massive mistake, because unnecessary admin privileges increase the risk of sensitive and business-critical data being deleted or shared - even accidentally."

 

Allowing all users to run with local admin rights is like putting an open sign up to potential hackers.

 

Meanwhile, data published by Forrester Research in its latest Wave report on Privileged Access Management revealed how 80 percent of all data breaches involve the use of privileged credentials in some manner. This is perhaps a shocking statistic in itself, but indicative of the larger problem of widespread administrative privilege.

That said, this is not an issue that has gone unnoticed. Indeed, figures published by the UK government show that almost four-fifths (79 percent) of businesses are now aware of the need to limit the allowance of admin rights to their IT users in order to better safeguard their sensitive and valuable information.

Moreover, the urgency of organizations taking steps to limit the use of administrative privileges should not be underestimated. McAfee Labs revealed in its Threat Report for December 2017 that new malware is being developed at a record rate. It found that 57.6 million new samples of malware were developed in the third quarter of 2017 alone - itself a 10 percent increase from the preceding quarterly data.

Understanding the massive threat that unchecked admin rights can pose to your business has therefore never been more necessary.

 

What do admin rights enable users to do?

It may sound simple, but administrative privileges can give carte blanche to users to make far-reaching changes within an organization's IT infrastructure. Here are some common examples:

 

1. Change registry keys​

By offering the ability to directly access and change certain registry keys (though not all reg keys require privileged access), admin rights enable users to navigate around Group Policy Object settings and other central management policies​ whenever they choose. This essentially means that local admin users potentially have access to all areas, at all times.

 

2. Take control of system services ​

Admin rights enable users to stop or disable services such as anti-virus and firewalls. By giving users the ability to switch off these key safeguards, this represents a significant risk. ​

 

3. Take ownership of files and folders​

Admin rights enable users to own any file on the system, period - privileges always beat permissions​. It means admin users have the ability to change ownership of important documents or folders and either restrict access, copy or transfer data without other authority, or tamper with protected security policies.

 

4. Manage certificates for the local machine

The ability to manage certificates for the local machine means admin users pose an increased risk of exposing others to phishing and man-in-the middle attacks. By installing a fake certificate authority, malicious users can trick others into believing they are visiting trusted sites or receiving information from a trusted source, when they are not.

 

5. Use port scanning tools​

Capturing network traffic allows the potential for admin users to find vulnerabilities within a network. The use of port scanning tools is a common means for those with administrative privileges to identify network services running on a host and to shore up their defenses, but this also allows malicious users to find and exploit vulnerabilities.

 

6. Go from Admin to System ​

Admin users are able to create scheduled tasks to run as System. Applications can be set to run bypassing User Account Control protocols, while processes can be run as System​ too. This means malicious software can be embedded and set to trigger in future, running in the background to existing applications.

 

7. Install and uninstall any application or patch​

With freedom to install, update or remove any application or software, users with admin rights can inadvertently leave the IT environment open to vulnerabilities. As these individuals do not necessarily know the full implications of their actions, this can pose a serious risk to system stability and data security.

 

8. Cover tracks​

With the ability to make any changes within an IT system, this means admin rights allow users to effectively cover their tracks in cases of misdemeanor. They are able to delete applications, system and security event logs​ to cover up any wrongdoing with relative ease.

 

9. Manage and create your own users​

The freedom to create new accounts and to set their privilege level means that any compromised local administrator account has the ability to create multiple new local admins in future. This therefore poses a serious risk to security, with the potential to give lasting access to malicious users outside your organization.

 

10. Access any part of the OS​

With the ability to freely access any part of the operating system or network, malicious individuals with admin privileges are able to set 'traps' for users with higher privilege, such as Domain Admins. Unrestricted admin rights therefore pose a significant risk around privilege escalation attacks and lateral movement.

 

Achieving balance between productivity and security

"The common misconception is that a user with local admin rights can do little harm and that administrative actions taken at the endpoint are isolated to the endpoint itself. Neither assertion is true." - Gartner, Inc., "Reduce Access to Windows Local Administrator with Endpoint Privilege Management," Lori Robinson, October 20, 2017.

Put quite simply, any hacker that is able to infiltrate an endpoint and who has access to admin privileges can cause untold harm to an organization. However, businesses must understand that implementing a blanket withdrawal of admin rights will reduce the ability of personnel to be productive in their role.

It is this balancing act between tightened security and freedom to work that all companies must now embrace, but this is precisely where endpoint privilege management can play a crucial role. Operating an environment of 'least privilege' means organizations are able to develop a stronger security posture, without the need to limit operational agility, and this is where our Defendpoint platform can provide unrivalled support.

Avecto Defendpoint combines best-in-class privilege management and application control, making admin rights removal simple in order to ensure compliance, security and efficiency. It deploys in hours and leverages more than two dozen validation criteria to elevate applications securely and flexibly, and elegantly scales to meet the demands of even the largest and most complex organizations. A powerful rules engine and comprehensive exception handling features help minimize the impact on end users and IT teams alike.


You can find out more about our award-winning privilege management and application control platform by visiting our product page; why not also schedule a demo while you're there, to see more of what Defendpoint can do for you?