End-users with admin-level access put your network security at risk

Granting end-users elevated-access accounts yields security risks -- but there are tactics to reduce the threat

For at least 10 years now, security experts have been saying that the No. 1 way to reduce security risks on the local desktop is to prevent users from using admin or root-level accounts when not performing admin tasks. Unfortunately, plenty of IT admins still find themselves working at organizations where, for whatever reasons, end-users enjoy elevated access, which opens the door to malware and malicious attacks.

If you find yourself in that situation and fret over the safety of your exposed systems, take heart: There are ways to decrease the risks.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

First, it never hurts to run the latest operating system and software. If you have Windows 7, logged-in elevated users are given a demoted security access token by default because of the User Account Control feature. They must grant consent or type in a password to perform administrative tasks. UAC stands between a large amount of silent, drive-by attacks and easily success. (I am, by the way, a full-time Microsoft employee.)

All the latest versions of Linux, Unix, and OS X use some similar features. Users are not given elevated security by default and must use sudo (switch user) or a related feature to gain root access. Further, the latest operating systems contain dozens to hundreds of upgraded security features that the older versions do not.

The same goes for your applications, especially browser add-ons; you should be running the latest versions for the exact same reasons. And of course, your operating systems and applications should be fully patched.

I'm also a big fan of application control programs, such as Bit9's Parity, McAfee's Application Control (formerly Solidcore), or Microsoft's AppLocker. Defining (that is, whitelisting) which applications and processes can run and denying the rest is the single best security defense you can implement. Unfortunately, holistic whitelisting is difficult to put in place. Taking away users' freedom to install and run whatever they want is political suicide in many environments.

Still, if you can do it -- full senior management support will be required -- you not only decrease security risk, you'll also minimize total cost of ownership. Locked-down desktops have few support issues since users aren't installing buggy, unapproved apps, slowing down their systems, and throwing up blue screens all the time. Plus, they require less troubleshooting and fewer rebuilds.

Privilege managers, such as BeyondTrust's PowerBroker (previously named Privilege Manager) allow admins to define what programs can run in elevated contexts. Unlike Windows UAC or Linux's sudo, privilege managers can also run in reverse: They enable most programs to run in elevated contexts, but they also enable the demotion of high-risk programs, such as browsers and email programs.

1 2 Page 1
New! Download the State of Cybercrime 2017 report