BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Least Privilege Legacy Apps and the Desktop “Wild West”: Part 4

Posted February 2, 2011    Peter McCalister

This week we report the conclusions of our recent survey of 185 IT Administrators and Help Desk Operatives, in a report Legacy Applications and Least Privilege Access Management’  – which reveals the way legacy apps leave Windows desktop environments unnecessarily exposed to attack from malware, as well as providing an open door to insider threats.

Perhaps most the most revealing insight from our survey, was that while we knew legacy apps like Sage and Quickbooks, caused problems for IT Admins with over privileged users, we hadn’t anticipated just how many others there were.  When survey respondents were invited to name which legacy applications they were nominating when selecting ‘Other’ they revealed over 50 different applications, from the understandable (company needs it to run it’s business) to the complete absurd (company doesn’t need it to run it’s business, and would violate compliance requirements if found with it.)

Notable examples include:

  • Old Mainframe applications.
  • Software used for running an office (printer drivers) or the desktop itself (defragmentor)
  • Third party point of sale software provided to retailers.
  • Adobe and Flash software.
  • Respondents from industries such as oil, automotive, and chemical cited technical applications which, although used by a handful of employees, still enforce the entire desktop to be set to administrator or super user status.
  • Applications downloaded by individual employees from the web to help them do their job better: for example, financial trading software.
  • Applications downloaded and installed by employees for their own entertainment, including: iPhone applications, and in one instance, a Golf Course Game Application.

Indeed, this paints a revealing picture of enterprise desktop environments today: they are littered with applications, each of which requires different configuration settings for different users, and makes effective access management practically impossible.

Not surprisingly, many respondents said they had too many legacy applications to mention.  Indeed, is it any wonder that today IT Admins consider desktops the “Wild West,” not just because of the overwhelm of managing access to multiple applications, but also because they never know what they were going to encounter on a user’s workstation.  One desktop manager, reported: “We have limited control on what the end user can install and change on a desktop, and in many cases we have limited awareness of changes being made. In most cases it’s too late if a user installs malware and adware, leaving our desktop resources left fire-fighting problems.”

Fortunately, the fault is not the legacy applications.  Business need not give up the applications they need to run business as usual.  The fault is the lack of awareness of just how easy it is to automate the elevation of privilege user access at a granular level, based on the role definition of each employee.

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,