End-users with admin-level access put your network security at risk

Granting end-users elevated-access accounts yields security risks -- but there are tactics to reduce the threat

For at least 10 years now, security experts have been saying that the No. 1 way to reduce security risks on the local desktop is to prevent users from using admin or root-level accounts when not performing admin tasks. Unfortunately, plenty of IT admins still find themselves working at organizations where, for whatever reasons, end-users enjoy elevated access, which opens the door to malware and malicious attacks.

If you find yourself in that situation and fret over the safety of your exposed systems, take heart: There are ways to decrease the risks.

First, it never hurts to run the latest operating system and software. If you have Windows 7, logged-in elevated users are given a demoted security access token by default because of the User Account Control feature. They must grant consent or type in a password to perform administrative tasks. UAC stands between a large amount of silent, drive-by attacks and easily success. (I am, by the way, a full-time Microsoft employee.)

All the latest versions of Linux, Unix, and OS X use some similar features. Users are not given elevated security by default and must use sudo (switch user) or a related feature to gain root access. Further, the latest operating systems contain dozens to hundreds of upgraded security features that the older versions do not.

The same goes for your applications, especially browser add-ons; you should be running the latest versions for the exact same reasons. And of course, your operating systems and applications should be fully patched.

I'm also a big fan of application control programs, such as Bit9's Parity, McAfee's Application Control (formerly Solidcore), or Microsoft's AppLocker. Defining (that is, whitelisting) which applications and processes can run and denying the rest is the single best security defense you can implement. Unfortunately, holistic whitelisting is difficult to put in place. Taking away users' freedom to install and run whatever they want is political suicide in many environments.

Still, if you can do it -- full senior management support will be required -- you not only decrease security risk, you'll also minimize total cost of ownership. Locked-down desktops have few support issues since users aren't installing buggy, unapproved apps, slowing down their systems, and throwing up blue screens all the time. Plus, they require less troubleshooting and fewer rebuilds.

Privilege managers, such as BeyondTrust's PowerBroker (previously named Privilege Manager) allow admins to define what programs can run in elevated contexts. Unlike Windows UAC or Linux's sudo, privilege managers can also run in reverse: They enable most programs to run in elevated contexts, but they also enable the demotion of high-risk programs, such as browsers and email programs.

Yet another strategy for reducing risks is to disable JavaScript when it's not needed. Unfortunately, JavaScript makes the World Wide Web go around and disabling it completely will significantly interfere with most websites. Many browsers allow JavaScript to be disabled or enabled on a per-zone/per-site basis. Browser add-ons such as Firefox's NoScript offer an interesting way to control malicious JavaScripts but may require a level of decision expertise that end-users don't possess.

Disable JavaScript in applications where you don't need it. For example, any of the exploits against Adobe Reader would not be successful if its default JavaScript functionality was disabled, either manually or by using a registry edit. Unfortunately, Adobe Reader updates have a history of re-enabling the JavaScript functionality.

Some people recommend using less-attacked software, and there is some validity to this approach. However, if your software selection becomes popular, it will be attacked. But the bigger problems are operational issues, supportability, installation, and control of less-popular programs. Most companies would be better off concentrating resources into what they know and support. In reality, most of the "more secure" alternatives actually have at least as many security holes as the "less secure" products they are replacing. And while obscurity is a valid defense (I often promote it), it shouldn't be your only weapon.

Another way to decrease security risk is to significantly limit where users are allowed to browse the Internet, if at all. Remember, most malware and malicious hacker attacks begin from compromised legitimate websites that the user trusts. If you use this method to cut down on risk, the end-user should have a highly restricted list to the bare minimum necessary to support the company. If you can't prevent access to popular social media sites, you're not getting a lot of bang for the buck.

A lot of readers ask me if virtualizing the user's browser session will help. It can, but it isn't the panacea that most security defenders think it will be. Most of a virtualized application's protection comes from the ability to reset the app to clean state whenever it is restarted or when the end-user suspects a malicious action has occurred. However, in every real-life virtualized environment I've seen, both admins and end-users typically extend as far as possible the time between resets, which defeats the purpose. Even if you reset the virtualized app every day, it takes only minutes for malware to steal passwords and run other scams.

Of course good, updated antimalware defenses are needed. I may not be a huge fan of the increasingly less-accurate antivirus software, but it's worth installing and using in most scenarios. They may not be 100 percent accurate, but they catch bad elements.

I am a strong advocate of security-domain isolation, restricting workstations and servers so that they connect to only what they need. It can be accomplished using myriad methods, including routers, firewalls, VLANs, IPSec, and other avenues of logical separation.

Lastly, implement improved end-user education. Thoroughly train your end-users on how to detect and prevent the most popular attacks, such as compromised legitimate websites, fake antivirus programs, malicious software installs, phishing attacks, and so on.

If you have no choice but to allow all end-users elevated access, you've lost a significant wall of defense. Still, with the tactics I've shared, you have ways to carry on the fight against malware and malicious attackers.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!