Tuesday, February 25, 2014
No, You Can't Have Local Admin!
Most of you know what I mean. I'm referring to the local administrator or root account on a system. When a person has local admin, they can access any part of the system, change or disable settings (including deactivating anti-malware or other security software), and, perhaps most importantly, install and run any software. This last item is probably the primary reason people request this level of access.
We're talking about Minimum Necessary... the idea that everyone should have exactly the level of access needed to do their job, and no more. In most, if not all, organizations, far more people have local admin than really need it.
Security vendor Avecto recently released a new study showing that over 90% of the most serious vulnerabilities in Microsoft software products in 2013 could have been mitigated by simply removing administrator rights. Put another way, this means that only your systems administrators were vulnerable to all of the most critical Microsoft software vulnerabilities! And these are the people who have the most access on your systems! Here are a two good articles on the subject and here is a link to the full report.
Let's break this down...
Some people really need local admin to do their jobs. There's a good reason for this... and a bad reason.
The bad reason(s): Some people choose to install software they'd like to use, when this is not part of their job. It's a want, not a need. If there is a business need then people should work through their help desk or support team.
A second bad reason is that some software vendors write poor software that requires a person to have local admin access to run the software. That's just the vendor using poor techniques or cutting corners. The correct solution is to make the vendor fix their stuff, or find a different vendor. If that won't work then there are tools that can allow a user to run software as a privileged user without actually being admin. Beyond Trust, CyberArk and Avecto have such tools (I'm not endorsing either of them but list them here as examples), and Windows 7 has some capability.
The good reason for a person to have local admin is if they are either a systems administrator or a software developer. But there is a right and a wrong way to provide this access.
The correct method is to provide these users with two accounts, one with standard access and one with admin access. Only when they are doing work that requires admin access should they use the admin account. The admin account should never be used for reading email or web surfing. The fallout from visiting a malicious webpage, clicking a dangerous link or opening a malicious email attachment is magnified when done by an administrator using their admin credentials. And the ramifications of a mistake are similarly increased.
A systems administrator can usually log in to a system with their standard account, elevate privilege to their admin account, complete their admin work, then log out. Using this method also provides a good audit trail so that if something adverse happens on a system, the logs will show what the admin did and did not do.
Software developers pose an additional challenge. They often need to do far more work using admin credentials. My take is that I don't want people running server-class software with admin credentials on the same part of the network as all the users' workstations. This is unnecessary risk. My preferred solution is to segregate the developers in their own area, via vlans or, even better, have them use virtual servers similarly segregated.
What do you think? Do you limit local admin access in your organization? What methods do you use to limit local admin or mitigate the risks?