Mitigating the use of Local Admin

Topic

Risks

Mitigation

Security

Malicious Software infections on the client. If a user has local administrative rights they are able to disable the security enhancements that protect them (Firewall, Bitlocker, Antimalware etc.).

Educate users on the safety aspects of administering a computer, especially around installation of software, downloading anything from the internet, and the potential threats such as phishing scams and internet fraud. Similar to a home users PC, if security cannot be enforced then it is the responsibility of the end user.

Utilise application blacklisting to restrict users from installing software that has been identified as adding to high risk to the user experience,  (Applocker)

Ensure applications are not modifying the core system by implementing control using AD Group Policy Management – Windows Server 2008 R2 with Windows 7 clients provides the most extensive set of policies.

Ensure the Windows Firewall is enabled and policies are controlled by Group Policy. Configure User Account Control (UAC) to alert end users to the changes being made to the system. Educating the users about this functionality will prevent several scenarios that can lead to infection by malware.

Data Confidentiality

If implemented incorrectly, it is possible for users to have access to PC's they should not normally be allowed to. Gaining access to sensitive files such as HR or Financial information.

Also the loss of the device or USB sticks can be  a major concern for many companies.

Restrict local administrative rights to those users that MUST have this functionality, and then only to their main PC (such as a laptop or regular desktop). Ensure that all devices which contain sensitive information are highly protected with the use of Bitlocker and Bitlocker to Go. These can ensure that any data written to these devices is secured in such a way that if the device is lost or stolen, the information cannot be retrieved unless it is unlocked by the systems administrators (keys backed up in Active Directory).

Depending on the threat, Encrypted File System (EFS) may be a better mitigation option to secure files. If Bitlocker is not used, or just disabled, the data on the drive can still be secure.

Productivity

Unstable systems causing interrupts to user productivity, increased downtime and more time spent troubleshooting issues.

The concept of a "Standard Operating Environment" is to create a baseline client or server image that can be deployed into the environment to provide the basic functionality. This baseline can then be managed and maintained by a central IT team to ensure the correct software, updates and patches are applied. Along with configuration settings that can improve the user experience, resolve issues, or prevent downtime. Remote access tools and client agents are deployed to enable monitoring and updating of the clients, providing a capability for reporting on the health status of individual or groups of computers.

Compatibility

More difficult to standardise, therefore provide new services

If the versions of software being used in the environment are not standardised then it becomes a management nightmare to try to deploy new solutions as the older versions may not support the new functionality. Consider virtualising all application to enable a more fluid and timely delivery mechanism.

Licensing

Auditing and compliancy can become an expensive exercise, especially if software can be installed at will. If the correct reporting is not available to discover the assets in use, then it is very difficult to accurately assess the true cost of any software solutions now or in the future.

Asset management is a key component of any medium to large environment. This is something that is simpler to manage when a company is smaller, and more difficult as it grows. Configuring an asset management database with discovery agents to automatically update this is the recommended way to go. It could save the company a lot more money than the initial setup costs.

User education

There is no technical replacement for common sense. The first line of defence is to educate users on the best practices for securing their data and raising awareness of the potential risks involved with public internet access – especially when they have local admin rights to their PC.

Client Health

Most enterprise desktops and laptops will start life as a Standard Operating Environment (SOE) – meaning the Operating System has been built a standard specification, the image is captured and reused to build all future clients. During the build, certain types of software and configuration settings will installed and on completion the client is usually added to an Active Directory Domain.

The problem comes when a user has local admin rights, they have the ability to reconfigure these default settings and remove many of the built in security features such as the firewall and UAC. Also a common issue is the interruption of security scans, software updates and other maintenance tasks designed to help keep the client running smoothly.

To prevent these issues we need to ensure that the desired configurations are set as part of Group Policy, which ensures a regular refresh of the client settings even when they are off the domain. It is not a fool proof option a savvy users will be able to find ways around many of the limitations imposed by the policies.

By implementing DirectAccess (instead of VPN solutions) we gain access to the PC every time it connects to the internet. A secure tunnel is created back to the corporate network without the user initiating any software or log-in details. This provides a better method for regularly deploying software and settings for roaming clients.

I would also recommend implementing a method of automated error reporting such as Desktop Error Monitoring, a part of the MDOP offering. This will divert all Doctor Watson type errors to a centralised server to provide client health information (this is what Microsoft does on a global scale for all publicly connected and enabled clients that have opted in for the feature)

Software Management

Domain joined computers are easier to manage when we start to involve Group Policy for configuration items and Software Management agents to remotely deploy applications, updates and security patches.  Many of the core software products will be purchased, packaged, maintained and deployed by a central IT Administration group. These should account for the majority of the software required by the users and can be delivered in many ways from traditional physical installation to virtual or hosted.

The problem usually comes when the software is either freeware, personal or specialised and only required by a very few individuals. This type of software can generally be obtained and installed by the user.

Due to this, your software management agents should be capable of scanning the clients health and reporting back a list of installed software including its version number . This is useful to the IT administrators as they can see a consolidated view of  the types of software being installed and look for trend analysis of products that cause issues on the clients or in the environment

Infrastructure Security

Providing users access to the corporate network through VPN solutions, using identification and authorisation of the users credentials is a good start, similar to the physical security of posting a security guard the front door. But what about limiting access to resources based on not only the user identity but also their role, and how they are gaining access to the environment - they type of device, the health of that device and their location (corporate office or a coffee shop?)

One of the key aspects to infrastructure security is to treat your client network security the same internally as you do externally. Scanning the health of clients before granting access to resources, preventing the removal of data unless it is secured, and provisioning resources through secure channels that ensure a controlled and consistent experience regardless of device type or location.

Firewalls and Antimalware, software updates and security patches - these are the fundamental building blocks of a secure network. Scanning and testing both servers and clients on a regular basis is not only good practice but common-sense, and using more than one AV scan engine (see Forefront) enables wider range of testing so a higher chance of success. A more sophisticated approach is to scan the data whilst in transmission, detecting not only virus signatures but also behavioural patterns, which can lead to the detection of new threats. To test that you are successfully capturing potential threats you need to ensure you are looking at the internal network as well as the perimeter  – most breaches are found to come from an internal source.