Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Getting Least Privilege Right on Windows

Posted June 30, 2014    Morey Haber

gettingleastprivright-manandkeyWindows doesn’t make least privilege easy

Enforcing least-privilege access policies on Windows has never been easy – especially given some fundamental flaws have haunted the OS since the mid-1990s. Consider the following permissions issues:

  • Windows 95 and 98 had a logon screen and could even be joined to the domain, but users could bypass the prompt simply by pressing ESC.
  • Windows XP improved things a bit by requiring users to hit Ctrl-Alt-Del to login. However, even when privileges were limited to standard user, you could still create accounts from the command prompt and bypass security a dozen different ways. It’s good that XP is finally EOL.
  • Windows Vista introduced the infamous User Account Control (UAC) prompts for almost every common task. Most companies had to turn them off, but at least Microsoft fixed some backdoors.
  • Windows 7 fixed many of the above problems, but it contains no granularity for enforcing least-privilege access to OS functions and applications. This is the staple OS for the vast majority of businesses today.
  • Windows 8.x introduced the new UI and improved many security features. Unfortunately, it also added new complexities with Microsoft Live logins, the new App Store, and a UI many organizations are having a tough time adopting. And there’s still no least-privilege access to OS tasks and applications.

These problems not only plague the Windows desktop OS, but also are exaggerated on Windows Server since many of its daily maintenance functions require administrative privileges. Consider how meaningless RDP, MMC, or even the command prompt is without administrator privileges. It’s virtually impossible for non-administrators to properly maintain Windows Server, even with Power User capabilities.

The next obvious question is, “How do you enforce least-privilege policies on desktop and servers without sufficient OS tools?” The answer is PowerBroker for Windows.

The PowerBroker for Windows approach to least privilege

PowerBroker for Windows solves the least-privilege access problem on all of the above operating systems by requiring all users to log into the OS with standard user privileges. Users and/or computers can then operate with elevated privileges based on policies and rules hosted through either Active Directory Group Policy or the solution’s own web services. For example, if the user wants to add an ODBC connection or launch a program like AutoCAD (which both require administrative privileges), a rule is created to elevate the application, not the user, to perform the task.

It’s easy to create PowerBroker for Windows rules based on a myriad of variables such as publish, path, hash, and even known application vulnerabilities. The solution ships with an extensive rules library covering the most common applications and functions. It also includes the BeyondInsight IT Risk Management Console, which documents, reports and alerts on all legitimate and unauthorized privileged activity in your organization. In addition to the obvious analytics and reporting benefits, this has practical applications such as recording when applications are requesting elevated permissions for easy and consolidated rule creation.

Implementing Least Privilege on Windows is an achievable goal, but native tools won’t get you there. With PowerBroker for Windows, end users always operate with least privileges, and administrators can manage servers without needing local or domain credentials. It’s one thing to remove administrative rights when they are not needed. It’s another to allow specific access to applications and OS functions so users can perform their daily tasks in a safe computing environment. PowerBroker for Windows does just that!

> Learn more about PowerBroker for Windows
> Request a trial of PowerBroker for Windows

Wait, what about least privilege on non-Windows platforms?

If you rely on Mac and UNIX/Linux platforms over Windows, you do have it a little easier when it comes to least privilege. However, challenges still exist; for instance:

  • Mac OS X includes a model that protects key operating system functions and applications. For example, you can’t modify Time Machine, Users, or any security settings without administrative privileges. You can, however, change network settings and other sensitive areas as a standard user. There are ways to lock this down but, if administrative access is given to the command prompt, anything can be done just like root on UNIX or Linux. The model is cleaner than Windows, but it still lacks granular control – especially for programs where administrative access is required every time a session boots in bridged mode (e.g., VMware Fusion).
  • UNIX/Linux platforms offer by far the most granularity in least-privilege control, but they still falter for third-party applications. Sudo can assist, but managing files with Sudo is a daunting task for many larger organizations. In addition, managing scripts, third-party commands, etc. are not in the realm of the operating systems’ capabilities – much like Windows.

Need a least privilege solution for Mac and UNIX/Linux?

> Check out PowerBroker for UNIX & Linux
> Request a trial of PowerBroker for UNIX & Linux

, , , , , , , , ,

Leave a Reply

Additional articles

VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

, , , ,

Privileged Passwords: The Bane of Security Professionals Everywhere

Posted February 19, 2015    Dave Shackleford

Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound…

, , ,
Privileged Account Management Process

In Vulnerability Management, Process is King

Posted February 18, 2015    Morey Haber

You have a vulnerability scanner, but where’s your process? Most organizations are rightly concerned about possible vulnerabilities in their systems, applications, networked devices, and other digital assets and infrastructure components. Identifying vulnerabilities is indeed important, and most security professionals have some kind of scanning solution in place. But what is most essential to understand is…

, , , , ,