Enterprises can mitigate most Microsoft critical vulnerabilities simply by removing users’ administrative rights. According to a report from Avecto, “530 Microsoft vulnerabilities were reported in 2016 with 36% (189) having a critical severity rating. Of these critical vulnerabilities, 94% were mitigated by removing admin rights.”
According to James Maude, Senior Security Engineer, Avecto, for this report, Avecto classified a vulnerability as one that you could mitigate by removing admin rights if the sentence “Customers/users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights” or “If the current user is logged on with administrative user rights, an attacker could take control of an affected system” appeared in the Executive Summary of the bulletin for that vulnerability.
By learning the nature of these critical vulnerabilities, the arguments for and against removing admin rights, and the most streamlined method for disabling administrative privileges on a grand scale, you can mitigate most of the severe Microsoft vulnerabilities, too.
Microsoft critical vulnerabilities
Most of the Microsoft critical vulnerabilities in this research were Remote Code Execution holes in Microsoft products such as the OS, browser, or Microsoft Office. These flaws allow attackers to launch code silently when the user opens infected content, visits an infected website, or in some cases only connects to the same network as the attacker does, explains Maude.
“A phishing attack leveraging the vulnerability CVE-2016-3313, which Microsoft patched in MS16-099 would make a good example,” says Maude. This attack used an infected Microsoft Word document to initiate the invisible code execution.
Because the attack emanates from Microsoft Word, it runs in the user context. “If the user has admin rights, the attacker can abuse these privileges by tampering with security settings, infecting system files, or launching a pass the hash attack to move laterally in the network,” explains Maude.
In a pass the hash attack, assuming improper use of authentication protocols, the attacker can steal the static hash that represents a username and password and use it in place of the actual clear text credentials. It is easier to simply pilfer the hash than to attempt brute-force password attacks, which can fail due to policies that block IPs that try high volumes of different passwords per minute. An attacker uses the hash to log on to systems and servers, enabling them to move laterally inside the network while avoiding detection.
Arguments against removing admin rights
Having admin rights enables individual users to update software immediately, adding new capabilities and keeping software current so they can continue to work productively. “Many applications, basic system settings, and application updates require administrative rights to ensure proper function,” says Joseph Carson, Chief Security Scientist, Thycotic.
When companies that already permit the broad use of admin rights try to remove those rights, it leads to major business disruptions and unhappy, unproductive employees, according to Carson. “Companies sometimes sacrifice security for business ease of use and happy employees,” says Carson.
Countering those arguments
Software updates and new software installs fall under the authority of IT and security. Any updates or changes must go through change management and must pass testing for security and to ensure that any changes don’t break other applications where there are dependencies.
User-initiated software installs can also contain malware, including malicious programs that penetrate critical Microsoft vulnerabilities. “Malware exploits admin rights to change registry values, install and execute programs, and insert itself into memory. Most malware is ineffective without these abilities,” says Daniel J. Desko, Senior Manager, IT Risk Advisory Services, Schneider Downs.
Removing admin rights is also one layer of protection against phishing attacks on users. “When performing penetration tests, we often drop malware through phishing that ultimately gives us a backdoor and a launch point within the target network,” says Desko. “To pivot to other systems,” explains Desko, “we will often disable local protections on the machine we’ve hacked into, e.g., the local firewall, anti-virus, and encryption. We can’t do this if the user doesn’t have local administrator rights.”
According to Maude, by using privilege management solutions, companies can move to a least privilege environment that removes admin rights and keeps user productivity intact.
Streamlined methods for removing admin rights
According to James Maude, Senior Security Engineer, Avecto, the most streamlined process for removing admin rights on a grand scale is to capture user and business requirements and then tailor a deployment of access rights and privileges that offers a balance of security and user flexibility. “If you get the user experience right, then users will accept it, and you can successfully deploy a least privilege access approach on a grand scale,” according to Maude.
Because security is an evolving landscape, it is often best to remove human users’ admin rights across the board quickly with an open policy, which puts the organization in a more secure position, and then refine the policy and privileges over time to increase security, according to Maude.
For information about invoking least privilege, see the latest Microsoft instructions here. To secure local admin accounts and groups and defeat “pass the hash” attacks, see the latest Microsoft data here.