It's a common dilemma many administrators deal with daily. Do you give your Windows users local administrator privileges and deal with the subsequent malware infections and system screw-ups? Or do you give them lower-level access to the point where they're not allowed to do anything and then bother you all the time?
In my experience, nearly all Windows environments I've seen are configured with the former. Administrators want their users to have the access and privileges they need because it reduces the number of help desk calls and lightens their own workload.
The principle of least privilege -- giving users minimal access to do their work -- looks good on paper, but it's difficult to implement in a typical Windows environment that doesn't have enough IT resources or budget to meet everyone's needs. Microsoft says that the solution is to upgrade to Windows 7 and implement User Account Control (UAC), so that users can maintain administrator-level access. Unfortunately, this also causes applications to run at a lower privilege level. I predict that the majority of users will be on Windows 7 in 10 years, but until then we'll have a combination of XP and other legacy versions of Windows to contend with. Simply put, this problem is not going away anytime soon.
According to BeyondTrust , 62% of all Windows XP vulnerabilities in 2009 could have been mitigated by limiting user privileges. I don't completely agree with that statistic given all the variables involved, but the numbers are interesting nonetheless. When it comes to deciding whether or not users should have administrator privileges, I've found that it's often a one-sided conversation between the Windows administrator and himself.
Often management, software developers, vendors, end users and other key players are not brought into the discussion. Unfortunately, security standards and policies are rarely adhered to -- frequently because they don't exist -- and there's not much real insight given during the discussion . A combination of politics, refusals to buy into security and decision makers who want to take the path of least resistance tend to get in the way of actually managing business risks.
Personally, I have mixed feelings regarding the scenario. On one hand, I'm for balancing security with usability. Give users what they need and get out of their way. It's one of the least-touted principles of information security, but one that can go a long way to making security work for you rather than against you.
On the other hand, I understand that users cannot be trusted. Be it malice or ignorance, the average user can and will get themselves, their computers and potentially your network in a bind.
I'm not positive there's a good answer to this. Sure, UAC in Windows 7 may seem fine on paper, but it's going to have compatibility issues and hacks that will cause headaches for many IT professionals. Anti-malware software can't always be trusted either. The only reasonable way to control this problem is to search for a third-party endpoint security solution. Just realize that no singular solution will be seamless or trouble free.
The best thing to do is to step back and take a look at the big picture and what you're trying to accomplish. Get input from others who have experience, research third-party vendors or try to find some workarounds with what Microsoft already gives you. Just don't ignore the problem, it will only become more complex.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in June 2010