BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Getting Least Privilege Right on Windows

Posted June 30, 2014    Morey Haber

gettingleastprivright-manandkeyWindows doesn’t make least privilege easy

Enforcing least-privilege access policies on Windows has never been easy – especially given some fundamental flaws have haunted the OS since the mid-1990s. Consider the following permissions issues:

  • Windows 95 and 98 had a logon screen and could even be joined to the domain, but users could bypass the prompt simply by pressing ESC.
  • Windows XP improved things a bit by requiring users to hit Ctrl-Alt-Del to login. However, even when privileges were limited to standard user, you could still create accounts from the command prompt and bypass security a dozen different ways. It’s good that XP is finally EOL.
  • Windows Vista introduced the infamous User Account Control (UAC) prompts for almost every common task. Most companies had to turn them off, but at least Microsoft fixed some backdoors.
  • Windows 7 fixed many of the above problems, but it contains no granularity for enforcing least-privilege access to OS functions and applications. This is the staple OS for the vast majority of businesses today.
  • Windows 8.x introduced the new UI and improved many security features. Unfortunately, it also added new complexities with Microsoft Live logins, the new App Store, and a UI many organizations are having a tough time adopting. And there’s still no least-privilege access to OS tasks and applications.

These problems not only plague the Windows desktop OS, but also are exaggerated on Windows Server since many of its daily maintenance functions require administrative privileges. Consider how meaningless RDP, MMC, or even the command prompt is without administrator privileges. It’s virtually impossible for non-administrators to properly maintain Windows Server, even with Power User capabilities.

The next obvious question is, “How do you enforce least-privilege policies on desktop and servers without sufficient OS tools?” The answer is PowerBroker for Windows.

The PowerBroker for Windows approach to least privilege

PowerBroker for Windows solves the least-privilege access problem on all of the above operating systems by requiring all users to log into the OS with standard user privileges. Users and/or computers can then operate with elevated privileges based on policies and rules hosted through either Active Directory Group Policy or the solution’s own web services. For example, if the user wants to add an ODBC connection or launch a program like AutoCAD (which both require administrative privileges), a rule is created to elevate the application, not the user, to perform the task.

It’s easy to create PowerBroker for Windows rules based on a myriad of variables such as publish, path, hash, and even known application vulnerabilities. The solution ships with an extensive rules library covering the most common applications and functions. It also includes the BeyondInsight IT Risk Management Console, which documents, reports and alerts on all legitimate and unauthorized privileged activity in your organization. In addition to the obvious analytics and reporting benefits, this has practical applications such as recording when applications are requesting elevated permissions for easy and consolidated rule creation.

Implementing Least Privilege on Windows is an achievable goal, but native tools won’t get you there. With PowerBroker for Windows, end users always operate with least privileges, and administrators can manage servers without needing local or domain credentials. It’s one thing to remove administrative rights when they are not needed. It’s another to allow specific access to applications and OS functions so users can perform their daily tasks in a safe computing environment. PowerBroker for Windows does just that!

> Learn more about PowerBroker for Windows
> Request a trial of PowerBroker for Windows

Wait, what about least privilege on non-Windows platforms?

If you rely on Mac and UNIX/Linux platforms over Windows, you do have it a little easier when it comes to least privilege. However, challenges still exist; for instance:

  • Mac OS X includes a model that protects key operating system functions and applications. For example, you can’t modify Time Machine, Users, or any security settings without administrative privileges. You can, however, change network settings and other sensitive areas as a standard user. There are ways to lock this down but, if administrative access is given to the command prompt, anything can be done just like root on UNIX or Linux. The model is cleaner than Windows, but it still lacks granular control – especially for programs where administrative access is required every time a session boots in bridged mode (e.g., VMware Fusion).
  • UNIX/Linux platforms offer by far the most granularity in least-privilege control, but they still falter for third-party applications. Sudo can assist, but managing files with Sudo is a daunting task for many larger organizations. In addition, managing scripts, third-party commands, etc. are not in the realm of the operating systems’ capabilities – much like Windows.

Need a least privilege solution for Mac and UNIX/Linux?

> Check out PowerBroker for UNIX & Linux
> Request a trial of PowerBroker for UNIX & Linux

Tags:
, , , , , , ,

Leave a Reply

Additional articles

Restricted Area Sign

Implementing Least Privilege for Windows the Easy Way

Posted July 31, 2014    Morey Haber

The concept of least privilege states that asset users should have the lowest level of access privileges required to effectively conduct their jobs. Implementing least privilege can bring several benefits to your organization, including: Increased security by reducing the attack surface available to users and to potential attackers who compromise user systems via phishing, malware,…

Tags:
, , ,
gartner market guide image - aug 2014

Introducing the Gartner Market Guide for Privileged Account Management

Posted July 29, 2014    Chris Burd

Gartner recently released a new Market Guide for Privileged Account Management (PAM), and we’d like to share a complimentary copy with you. The report includes PAM market analysis and direction, vendor overviews, and recommendations for selecting PAM solutions for your environment. BeyondTrust is one of two representative vendors (out of 20) to address all solution…

Tags:
, , , , , , , ,
Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,