Share

Bob Tarzey

Job title:
Analyst and Director, Quocirca Ltd

Biography:
Bob joined Quocirca in 2002, his main area of coverage is route to market for ITC vendors, but he also has a specific focus on IT security, network computing, systems management and managed services. Bob writes regular analytical columns and blogs for Computing, Computer Weekly, silicon.com, Computer Reseller News (CRN), Infosecurity Magazine and IT Director. He has has written for The Times, Financial Times and The Daily Telegraph and provides general comment for the European IT and business press. Bob has extensive knowledge of the IT industry. Prior to joining Quocirca in he spent 16 years working for US technology vendors including DEC (now HP), Sybase (now SAP), Gupta, Merant (now Serena), eGain and webMethods (now Software AG). Bob has a BSc in Geology from Manchester University and PhD in Geochemistry from Leicester University.

Tag Cloud

Bloggers

Blog

Windows Desktop Admin Rights – An Open Door for Malware?

Quocirca has written extensively about privileged user management over the years, including two research reports Conquering the sys-admin challenge in 2011 and Privileged user management – it’s time to take control in 2009. One of the dangers highlighted in both reports is that if privileged user accounts are compromised the results can be far more serious than when the same happens with the accounts of “normal” unprivileged users. Several vendors specialise in the management of privilege and sys-admin rights, including CA, Cyber-Ark, Centrify, Lieberman Software, Quest Software, Thycotic and UK-based Osirium, which sponsored Quocirca’s most recent report.

It is odd then that many businesses leave “normal” users with full admin rights in one area: their Windows desktops. IT departments are prone to do this because it makes life easy as it means they are do not get constant user account control (UAC) requests to their helpdesks (to install Active-X components etc.) However, Windows desktops with full admin rights are a gift to malware writers. Once compromised it is far easier to recruit such PCs to botnets, install key-loggers or use them as a springboard to deeper penetration of an organisation’s infrastructure. The default position should be than no desktops runs with full admin rights and that such rights should only be granted for limited periods of time and to enable certain tasks.

This has led to the emergence of a second group of privilege management vendors whose main focus is to get the problem of Windows desktop admin under control. They enable automated granting of admin rights based on predefined policies, which can apply to applications as well as users. This helps minimise the number of UAC requests as when a user needs to install or update a commonly use application their privilege level can be temporarily elevated. Most of the vendors above do not address these specific issues and are therefore partnering in this area. Quocirca has been speaking to two of these vendors recently.
 
First is Avecto, a UK-based vendor that is doing half its business in North America. Its product is called Privilege Guard and it has a partnership with Cyber-Ark. Its focus to date has largely been selling direct to large enterprises where it links in with Active Directory and its Group Policy engine. However, it can also now link in with McAfee’s ePolicy Orchestrator (ePO), creating a partnership which Avecto sees as key to building a multi-tenancy on-demand version of Privilege Guard that will open up the SMB market, where practices regarding management of Windows privilege tend to be at their worst.
 
Second is Viewfinity, an Israeli vendor, which has just opened its first European office in Amsterdam. It already does 60% of its business via an on-demand platform; the other 40% being on-premise installs at large enterprises. It has partnerships with Lieberman Software, CA and is integrated with Microsoft Systems Centre Configuration Manager (SCCM) and, of course, Active Directory. Viewfinity has just released V4 of its product. It also has a free “Local Admin Discovery” tool, which allows you to find out for free just how widespread the allocation of admin rights is across your Windows desktop estate. The approach is a bit like those free malware detection tools that tell you of all the gremlins that are present on your PC but will not let you delete them until you cough up a fee (although Viewfinity should actually work!)
 
Regardless of the vendor selected (a third player is BeyondTrust), that may well be a price worth paying. At this level most malware is opportunist; it will seek out the most vulnerable and easiest to exploit PCs. Once malware has found its way on to a PC, finding full admin rights is a gift; an open invite to take full advantage of opportunities for data theft or deeper penetration into the infrastructure of the organisation that owns the device and thought it could trust it on its network.
 
As Quocirca research over the years has shown, there is much poor practice in businesses of all sizes when it comes to the management and privilege and sys-admin rights. Just as was stated in 2009 with regard the management of core it infrastructure, when it comes to user desktops, it is time to take control.
 

Posted 03/04/2012 by Bob Tarzey

Tagged under: Windows , privilege , admin rights

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×