BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Getting Least Privilege Right on Windows

Posted June 30, 2014    Morey Haber

gettingleastprivright-manandkeyWindows doesn’t make least privilege easy

Enforcing least-privilege access policies on Windows has never been easy – especially given some fundamental flaws have haunted the OS since the mid-1990s. Consider the following permissions issues:

  • Windows 95 and 98 had a logon screen and could even be joined to the domain, but users could bypass the prompt simply by pressing ESC.
  • Windows XP improved things a bit by requiring users to hit Ctrl-Alt-Del to login. However, even when privileges were limited to standard user, you could still create accounts from the command prompt and bypass security a dozen different ways. It’s good that XP is finally EOL.
  • Windows Vista introduced the infamous User Account Control (UAC) prompts for almost every common task. Most companies had to turn them off, but at least Microsoft fixed some backdoors.
  • Windows 7 fixed many of the above problems, but it contains no granularity for enforcing least-privilege access to OS functions and applications. This is the staple OS for the vast majority of businesses today.
  • Windows 8.x introduced the new UI and improved many security features. Unfortunately, it also added new complexities with Microsoft Live logins, the new App Store, and a UI many organizations are having a tough time adopting. And there’s still no least-privilege access to OS tasks and applications.

These problems not only plague the Windows desktop OS, but also are exaggerated on Windows Server since many of its daily maintenance functions require administrative privileges. Consider how meaningless RDP, MMC, or even the command prompt is without administrator privileges. It’s virtually impossible for non-administrators to properly maintain Windows Server, even with Power User capabilities.

The next obvious question is, “How do you enforce least-privilege policies on desktop and servers without sufficient OS tools?” The answer is PowerBroker for Windows.

The PowerBroker for Windows approach to least privilege

PowerBroker for Windows solves the least-privilege access problem on all of the above operating systems by requiring all users to log into the OS with standard user privileges. Users and/or computers can then operate with elevated privileges based on policies and rules hosted through either Active Directory Group Policy or the solution’s own web services. For example, if the user wants to add an ODBC connection or launch a program like AutoCAD (which both require administrative privileges), a rule is created to elevate the application, not the user, to perform the task.

It’s easy to create PowerBroker for Windows rules based on a myriad of variables such as publish, path, hash, and even known application vulnerabilities. The solution ships with an extensive rules library covering the most common applications and functions. It also includes the BeyondInsight IT Risk Management Console, which documents, reports and alerts on all legitimate and unauthorized privileged activity in your organization. In addition to the obvious analytics and reporting benefits, this has practical applications such as recording when applications are requesting elevated permissions for easy and consolidated rule creation.

Implementing Least Privilege on Windows is an achievable goal, but native tools won’t get you there. With PowerBroker for Windows, end users always operate with least privileges, and administrators can manage servers without needing local or domain credentials. It’s one thing to remove administrative rights when they are not needed. It’s another to allow specific access to applications and OS functions so users can perform their daily tasks in a safe computing environment. PowerBroker for Windows does just that!

> Learn more about PowerBroker for Windows
> Request a trial of PowerBroker for Windows

Wait, what about least privilege on non-Windows platforms?

If you rely on Mac and UNIX/Linux platforms over Windows, you do have it a little easier when it comes to least privilege. However, challenges still exist; for instance:

  • Mac OS X includes a model that protects key operating system functions and applications. For example, you can’t modify Time Machine, Users, or any security settings without administrative privileges. You can, however, change network settings and other sensitive areas as a standard user. There are ways to lock this down but, if administrative access is given to the command prompt, anything can be done just like root on UNIX or Linux. The model is cleaner than Windows, but it still lacks granular control – especially for programs where administrative access is required every time a session boots in bridged mode (e.g., VMware Fusion).
  • UNIX/Linux platforms offer by far the most granularity in least-privilege control, but they still falter for third-party applications. Sudo can assist, but managing files with Sudo is a daunting task for many larger organizations. In addition, managing scripts, third-party commands, etc. are not in the realm of the operating systems’ capabilities – much like Windows.

Need a least privilege solution for Mac and UNIX/Linux?

> Check out PowerBroker for UNIX & Linux
> Request a trial of PowerBroker for UNIX & Linux

Tags:
, , , , , , , ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,