BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Getting Least Privilege Right on Windows

Posted June 30, 2014    Morey Haber

gettingleastprivright-manandkeyWindows doesn’t make least privilege easy

Enforcing least-privilege access policies on Windows has never been easy – especially given some fundamental flaws have haunted the OS since the mid-1990s. Consider the following permissions issues:

  • Windows 95 and 98 had a logon screen and could even be joined to the domain, but users could bypass the prompt simply by pressing ESC.
  • Windows XP improved things a bit by requiring users to hit Ctrl-Alt-Del to login. However, even when privileges were limited to standard user, you could still create accounts from the command prompt and bypass security a dozen different ways. It’s good that XP is finally EOL.
  • Windows Vista introduced the infamous User Account Control (UAC) prompts for almost every common task. Most companies had to turn them off, but at least Microsoft fixed some backdoors.
  • Windows 7 fixed many of the above problems, but it contains no granularity for enforcing least-privilege access to OS functions and applications. This is the staple OS for the vast majority of businesses today.
  • Windows 8.x introduced the new UI and improved many security features. Unfortunately, it also added new complexities with Microsoft Live logins, the new App Store, and a UI many organizations are having a tough time adopting. And there’s still no least-privilege access to OS tasks and applications.

These problems not only plague the Windows desktop OS, but also are exaggerated on Windows Server since many of its daily maintenance functions require administrative privileges. Consider how meaningless RDP, MMC, or even the command prompt is without administrator privileges. It’s virtually impossible for non-administrators to properly maintain Windows Server, even with Power User capabilities.

The next obvious question is, “How do you enforce least-privilege policies on desktop and servers without sufficient OS tools?” The answer is PowerBroker for Windows.

The PowerBroker for Windows approach to least privilege

PowerBroker for Windows solves the least-privilege access problem on all of the above operating systems by requiring all users to log into the OS with standard user privileges. Users and/or computers can then operate with elevated privileges based on policies and rules hosted through either Active Directory Group Policy or the solution’s own web services. For example, if the user wants to add an ODBC connection or launch a program like AutoCAD (which both require administrative privileges), a rule is created to elevate the application, not the user, to perform the task.

It’s easy to create PowerBroker for Windows rules based on a myriad of variables such as publish, path, hash, and even known application vulnerabilities. The solution ships with an extensive rules library covering the most common applications and functions. It also includes the BeyondInsight IT Risk Management Console, which documents, reports and alerts on all legitimate and unauthorized privileged activity in your organization. In addition to the obvious analytics and reporting benefits, this has practical applications such as recording when applications are requesting elevated permissions for easy and consolidated rule creation.

Implementing Least Privilege on Windows is an achievable goal, but native tools won’t get you there. With PowerBroker for Windows, end users always operate with least privileges, and administrators can manage servers without needing local or domain credentials. It’s one thing to remove administrative rights when they are not needed. It’s another to allow specific access to applications and OS functions so users can perform their daily tasks in a safe computing environment. PowerBroker for Windows does just that!

> Learn more about PowerBroker for Windows
> Request a trial of PowerBroker for Windows

Wait, what about least privilege on non-Windows platforms?

If you rely on Mac and UNIX/Linux platforms over Windows, you do have it a little easier when it comes to least privilege. However, challenges still exist; for instance:

  • Mac OS X includes a model that protects key operating system functions and applications. For example, you can’t modify Time Machine, Users, or any security settings without administrative privileges. You can, however, change network settings and other sensitive areas as a standard user. There are ways to lock this down but, if administrative access is given to the command prompt, anything can be done just like root on UNIX or Linux. The model is cleaner than Windows, but it still lacks granular control – especially for programs where administrative access is required every time a session boots in bridged mode (e.g., VMware Fusion).
  • UNIX/Linux platforms offer by far the most granularity in least-privilege control, but they still falter for third-party applications. Sudo can assist, but managing files with Sudo is a daunting task for many larger organizations. In addition, managing scripts, third-party commands, etc. are not in the realm of the operating systems’ capabilities – much like Windows.

Need a least privilege solution for Mac and UNIX/Linux?

> Check out PowerBroker for UNIX & Linux
> Request a trial of PowerBroker for UNIX & Linux

Tags:
, , , , , , , , ,

Leave a Reply

Additional articles

Sudo_logo

Don’t Create a Different sudoers File for Each System

Posted May 20, 2015    Randy Franklin Smith

What if you have multiple Linux and/or Unix systems? Sudo management can become onerous and unwieldy if you try to manage a different sudoers file on each system. The good news is that sudo supports multiple systems.

password-safety

What Does Microsoft Local Administrator Password Solution Really Do?

Posted May 19, 2015    Morey Haber

LAPS is a feature that allows the randomization of local administrator accounts across the domain. Although it would seem that this capability overlaps with features in BeyondTrust’s PowerBroker Password Safe (PBPS), the reality is it is more suited for simple use cases such as changing the local Windows admin account and not much more.

Tags:
, ,
webinar_ondemand

On Demand Webinar: Securing Windows Server with Security Compliance Manager

Posted May 14, 2015    BeyondTrust Software

On Demand Webinar: Security Expert Russell Smith, explains how to use Microsoft’s free Security Compliance Manager (SCM) tool to create and deploy your own security baselines, including user and computer authentication settings.

Tags:
, ,