Local Administrator Rights Patrick Seymour patrick.seymour@sinclair.edu Sinclair Community College

How Do You Handle Admin Rights?

Reasons For Admin Rights Applications (un)installation and updating running Issues Protected areas of the file system and/or registry Checks for admin rights, whether it needs them or not Publisher requires admin rights Users see this as a freedom issue: the ability to customize and control their own device. Users in some type of R&D role especially need the ability to manage software.

Reasons For Admin Rights Fonts (permanent installation) Print (or any) drivers ActiveX controls System utilities, Control Panel applets, etc. Turn Windows Features On/Off Device Manager Defrag Network configuration Some times, it makes sense to restrict system utilities. But some, like defrag, are safe, and you may want to allow.

Reasons For Admin Rights Mobile users Home-based worker, needs to connect to their printer. Users at conferences or other events, need to install or update something.

Reasons For Admin Rights “We’ve always done it this way.” Expensive to remove. IT resources are already constrained. Rarely an issue. Data is stored elsewhere; just re-image the device. Malware infections are rare, and the ones that do occur do not depend on admin rights

Reasons Against Admin Rights Malware, except most ransomware (90%, per CyberArk) NotPetya encrypts MBR if it gains admin rights. Users can disable protection systems (anti-malware, firewall, disk encryption, etc.) Users can change configuration in a damaging way. Create or change services, which can run as the System. Zero-day vulnerability protection CVE-2018-8174 (2018-05-08) – VBScript RCE; gain same permissions as user Malware runs with the same permissions as the user who executed it.

Reasons Against Admin Rights 2016 Avecto Report on MS Vulnerabilities 93% of Critical RCE vulnerabilities (largest category of vulnerabilities) 94% of Criticals in Windows (Vista through 10) 100% of Criticals in Edge, 100% for IE 99% for Office overall, 93% for Office 2016 90% of Criticals in Windows Server Similar numbers for 2013-2015

Reasons Against Admin Rights 2017 Avecto Report on MS Vulnerabilities 80% of Critical RCE vulnerabilities (largest category of vulnerabilities) 79% of Criticals in Windows (Vista through 10) 96% of Criticals in Edge, 94% for IE 60% of Criticals in Office 74% of Criticals in Windows Server 88% of all Criticals from 2013 through 2017 Almost no vulnerabilities in other categories are mitigated by standard user accounts.

Reasons Against Admin Rights Center for Internet Security (CIS) Controls “CIS Controls 1 through 6 are essential to success and should be considered among the very first things to be done.” #4: Controlled Use of Administrative Privileges NIST 800-53: AC-2, AC-6, AC-17, AC-19, CA-7, IA-4, IA-5 and SI-4 NIST Core: PR.AC-4, PR.AT-2, PR.MA-2, PR.PT-3 Malware runs with the same permissions as the user who executed it.

Reasons Against Admin Rights With UAC on, admin users only receive a Yes/No prompt. UAC Bypass App Paths Disk Cleanup (DLL Search Order) EventViewer/MSC IFileOperation Windows Backup WUSA Requiring credentials at the UAC prompt is much more secure. It forces users to put effort into allowing the potentially bad thing to run.

What Do We Do? It is not IT vs. Users. It is IT + Users vs. Attackers. Crank UAC all the way up. Remove debug privilege from Administrators group. Built-in Administrator Account: Random password and disable. Process Monitor and App Compatibility Toolkit Remove full-time admin rights for IT, especially desktop techs. No administrator accounts login interactively, especially domain admins.

What Do We Do? Provide an additional account to be used for elevation. Free Scriptable OK for mobile, if credentials are cached first. Con Need to enforce the inability for the additional account to logon interactively.

What Do We Do? Elevated Processes, On-Demand Avecto Defendpoint BeyondTrust PowerBroker Endpoint Least Privilege Management CyberArk Endpoint Privilege Manager PolicyPak Least Privilege Manager

What Do We Do? Adminizer (adminize.com) From a known security researcher (Sami Laiho) Changes local admin passwords every hour, even on disconnected machines. Inexpensive: $3.50 to $6.00 per machine Requires user to call help desk each time

What Do We Do? Access Director (basic-bytes.com) No longer free, but free version still exists on the Internet Paid version has centralized reporting Monitor elevated processes and installed software Elevates user’s existing account, temporarily

What Do We Do? Make Me Admin (makemeadmin.com) Free and open-source (GPLv3) Elevates user’s existing account, temporarily Works offline, no help desk interaction