You are on page 1of 2

Top 5 Things to Know About

Administrator Rights and Security
Ask any Windows administrator or security professional and you will find widespread support for
locking down PCs by removing users’ administrative privileges. Why then have so many IT organizations
been unable to implement better controls in their desktop environments? The truth is that removing
admin rights is only one part of an application control solution.

1 The difference between an administrator and 3 Removing admin rights can impede user’s work
a standard user Removing admin rights can limit a user’s ability to open emails,
When users log into a Windows computer, they can either log in change settings, or even start their computer. If users are unable to
with administrator rights or standard user rights. Administrator continue to do the work they need to do, there will be complaints,
rights allow users the ability to make wide changes to the computer, and it will require the IT staff to spend a lot of time addressing the
including creating or deleting accounts and changing account types problems that arise.
and passwords. Most importantly, administrator rights allow users Removing privileged accounts can be problematic because,
the freedom to install any software they wish. A standard user is depending on the organization, any number of legacy or custom-
granted no special privileges and does not have administrative built applications can only be accessed with administrator rights.
control over the computer.
In addition, many vendors release software which requires admin
The “Principle of Least Privilege” that has been widely adopted by rights to install. As a result, a company either refuses to use the major
organizations as a security best practice restricts standard user software packages in the market (including those by Microsoft), or
privileges to only those necessary to perform certain job functions. the company develops costly procedures to submit requests for
In a Windows Least Privilege environment, administrators have installations, updates, removals, etc.
control of installs on standard user’s computers and often times
network resources as well. While it is tempting to establish policies that restrict software installa-
tion, by doing so, you can defeat the very reason that computers
were brought into the company—to accomplish work efficiently.
2 Admin rights are used by malicious hackers
• Users who have a real business need to install applications to
Administrator rights are exploited by unauthorized users, hackers,
do their jobs won’t have that right, which hampers creativity
and malware to compromise computer systems by altering standard
and exposure to new resources.
desktop images, changing security settings, or installing unauthorized
software. By removing administrator rights from users and granting • Without sufficient permissions, a user would not even be able
only the minimum privileges necessary for the performance of an to install basic work necessities such as a print driver. Many basic
authorized task, a company can limit the damage that can result from applications will not run without an elevated set of permissions.
a security breach or malicious user. But removing admin rights is not
• Client software components that Web sites upgrade on a regular
effective against all the varied attacks that are in the wild today.
basis (such as Flash, Acrobat Reader and Web conferencing soft-
For instance, there has been an increase in zero-day,“Advanced ware) cannot be updated, potentially obstructing user access to
Persistent Threat” attacks that seek out admin rights credentials and important business content or causing lost productivity, as users
then use them to escalate privileges and install malware to steal look for workarounds. It’s nearly impossible for organizations to
sensitive information. have the latest clients packaged for software distribution so that
they can be delivered to users as needed, and standard user
access does not allow exceptions.
4 Running users as “standard users” does not In terms of IT management, NTFS permissions policies lack a central-
prevent them from installing and running ized management component, meaning that there is no ‘big picture’
unknown applications of organization users available. Microsoft does not offer a built-in
console that allows you to set NTFS permissions across all of your
A typical first approach that administrators take in securing worksta- workstations. Even if they did, performing blanket lockdowns at
tions is to set the NTFS permissions on the workstation’s hard drive the NTFS level could make it difficult to install new applications or
so that users have only the minimum necessary set of permissions. software patches.
Although it is always a good idea to give users minimum permissions,
this technique by itself is completely ineffective in regard to prevent-
ing users from installing or executing unauthorized software. 5 Application Whitelisting is a gentler form
of “lockdown”
One major issue with relying solely on user rights restrictions is that
a user has to have rights to their profile directory. A profile directory Application Whitelisting solutions address these issues and provide
stores a user’s documents and all of their user-specific application organizations with more flexibility and granularity for all users
settings. Since a profile is a required part of Windows, and a user regarding the applications that can and cannot be run. Users can
has to have rights to their profile directory, a user could place an be left running as administrators, allowing them to update client
executable file into their profile directory and run it from there. software as needed, including Web applications. Software that’s
detrimental can be automatically blacklisted, but resources (and/or
There are ways around some of these profile-related security issues.
subscription models) may be needed to keep the list current.
Administrators could redirect a profile so that it is stored on a server
Depending on the user, new software can be allowed or blocked
rather than on each individual workstation. Once the profile folders
by policy. In either case, it is always logged, so that the organization
have been redirected, different administrator utilities can search
can centrally monitor all workstations.
profile folders for unauthorized executables.
In addition to security protection, Application Whitelisting solutions
Another option is to implement mandatory profiles. Mandatory
provide operational benefits by preventing the arbitrary introduction
profiles are designed so that any changes that a user makes to
and execution of unknown code on endpoints, even for administra-
their profile directory are automatically overwritten with a clean
tors. There are several security and operational reasons that
and pristine copy of an approved profile when a user logs off.
organizations may want to use Application Whitelisting solutions:
Despite these tools, profile redirection or mandatory profiles will
• To ensure that unlicensed software isn’t being used
not completely prevent users from running unauthorized software.
Regardless of where a profile is located, a user must still have write • To manage known PC configurations so that enterprise software
permissions to it in order for applications to function correctly. In the is easier to deploy and maintain
case of a mandatory profile, a user can write to a local copy of the • To restrict users from running software that could be detrimental
mandatory profile, and that copy is later overwritten by a clean copy to enterprise systems or the network
of the mandatory profile when the user logs out.While a user is • To prevent users from adding applications that will require
logged in though, they have write access to their profile directory. increased support and cost, and
To see why this is a problem, think about the way Internet Explorer • To prevent users from visiting a malicious Web site and
works.When a user visits a Web page, the contents of that page inadvertently executing zero-day attacks, such as Operation
(HTML code, images, etc.) are downloaded to a cache directory. If a Aurora or Zeus.
user happened to visit a malicious Web page, any malware that might
exist on the page is also written to the cache directory, where it would
then be executed. If the user had a mandatory profile, the contents
of the profile directory would eventually be overwritten, but by that
time the problem downloads have already occurred.

266 Second Avenue Waltham, MA 02451 USA
P +1.617.393.7400 F +1.617. 393.7499

Copyright © 2010 Bit9, Inc. All Rights Reserved. Bit9, Inc., Automatic Graylists, FileAdvisor, Find File, Parity, and ParityCenter are trademarks or registered trademarks of Bit9, Inc. All other names and trademarks
are the property of their respective owners. Bit9 reserves the right to change product specifications or other product information without notice.