Death of the super-user – how least privilege tamed Windows

Containing application risk, a conceptual overview. e.g. controlling apps, privileges and users without murdering the organisation

Tweet

The super user is dead and what killed it is the rise of something called least privilege. The concept behind this term is disarmingly easy to summarise: users should always access any computing system with the fewest privileges they need to do their jobs.

The principle can apply to any computing environment but for most organisations its main purpose is to control the activity of Windows desktop and server users by restricting them to the standard user state. Doing this offers an inviting list of easy security wins:

• Standard users accounts can’t install or de-install applications which means no rogue software opening ports from the network

• They can’t mess with important default settings that might require admin time to fix, for example deleting system files or printer queues

• Helps sandbox attackers or malware in the event of an account compromise – many software exploits require privileges to attack systems

Least privilege is sometimes interpreted to be a way of stopping ordinary Windows users from doing daft or risky things but the rule also applies to IT staff when they are not doing something that requires an admin-level account: least privilege should be the default state for every network user regardless of who they are.

It sounds like an open and shut case but unfortunately there are some drawbacks too.

In any organisation, there are going to be times when it is necessary for users to elevate privileges to administrator level, and there must be some way of doing this. Examples of the need for more advanced privileges include accessing certain network resources, running legacy software coded to assume admin rights and occasionally (yes!) to install a useful or new software application that might increase productivity.

Limiting users, then, isn’t simply about stopping something from happening on a computer but an organisational and business issue of how employees relate to an organisation’s resources.

It’s an issue that Windows has struggled with historically. Launched in 2001, Windows XP had administrator and standard user (least privilege) accounts but, incredibly, the former was the default because it made life easy. Windows Vista overhauled this madness in 2007 with something called User Account Control (UAC), supposedly a way for a standard user account (now the default) to elevate privileges only when that was necessary. Users could magically exist in both worlds.

Problems soon appeared. Applications kept asking users to elevate privileges to perform basic actions, which left users baulked and admins bombarded by permission requests. Which ones were legitimate and which weren’t? Who knew. Help desks found themselves allowing more actions by default which ate away at the point of least privilege.

Windows and UAC has improved hugely since then but it was clear that organisations needed to get the maximum benefit from least privilege whilst exposing the minimum attack surface. Windows had to remain productive but also secure without these becoming mutually exclusive states.

Least privilege upgrade

In the years since Vista and Windows 7, a new generation of privilege management platforms has emerged to more comprehensively regulate how desktop computer users (including non-Windows users) request elevated rights to move between the standard and admin states.

While most of these started as a means of brokering and streamline requests for elevated privileges, they have rapidly evolved in more complex application control and endpoint security systems that also block unauthorised software while attempt to sandbox ransomware, phishing attacks and even zero-day attacks.

Platforms (which typically integrate with Active Directory so that policies can be applied to groups) will offer a range of features in a layered approach:

Application and account inventory allows privilege management to enter a discovery mode to audit the applications running on endpoints and how they are being used by different account types. This is necessary to start designing privilege policies that won’t end up being overly restrictive.

Whitelisting is where applications are divided into ones that can run (the whitelist), those which can’t (the blacklist), and those which must be assessed by policy (the grey list). Apps and scripts will always run in standard mode by default with admin rights granted to perform specific tasks and not entrusted to individuals.

Helpdesk overheads can be minimised with streamlined applications and privilege policies and customised (i.e. user-friendly) UAC prompts where these prove necessary.

Automatic rule generation routines are a way for users can elevate privileges for common application interfaces such as Adobe or WebEx (Java) for defined periods of time without tripping a UAC. These can be defined in a granular way, for example only for certain groups within AD.

Vulnerability-based assessment (offered by BeyondTrust in its PowerBroker system) allows applications to be disallowed based on software vulnerabilities fed to it from a separate database in real time.

Endpoint security implemented through agents on the PC is a more recent feature designed to integrate anti-malware functions such as sandboxing within privilege management. An obvious issue is why organisations would care about this layer when they already run anti-virus. The answer is that it perhaps that AV is reactive whereas sandboxing assumes no trust.

Analytics and reporting is essential to create an audit trail of privilege elevation and application events, potentially feeding into a SIEM system. This could be thought of as being like another layer of user and account monitoring that helps meet regulatory requirements such as PCI DSS and SOX.

It’s clear that from these headings that in the last decade the humble concept of least privilege has set off a fundamental overhaul of the way enterprises think about application security. In the old user-centric model, people were just handed privileges. These are now awarded on the basis of application risk rather than assumptions about which users can be trusted.

In short, desktop computers can be locked down. This is wise and necessary – every statistic on cyber-attacks underlines how vulnerable they are. Numerous attacks start at this layer of the network.

Equally, it points to a much more complex world. Adding privilege management can be an expensive and complex undertaking that might turn out to be overkill for some organisations. Surely though, the challenge remains to implement least privilege in some way.