Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:35 AM
Connect Directly

Feds Say 'Adios' to Admin Rights on Windows

The Federal Desktop Core Configuration mandate for Windows XP and Vista clients goes into effect on February 1

Windows desktop administrative rights soon will become a thing of the past for most federal users, as the U.S. government's Federal Desktop Core Configuration (FDCC) directive takes effect on February 1.

FDCC is the new set of standard security configuration guidelines for all federal agencies that run or plan to run Windows XP and Windows Vista desktops or laptops. Contractors' Windows client machines that run on federal networks also fall under FDCC, and IT product vendors selling products with these OSes also must configure them to the FDCC specifications.

"This is definitely a move in the right direction. Even with the increase in stealthy attacks, 90 percent of attacks are still using known vulnerabilities" and many agencies aren't keeping up with those vulnerabilities, says Amrit Williams, CTO of BigFix. "This will let them assess their [desktop] environments against those configurations, then enforce them, and remediate machines."

FDCC follows a similar initiative by the U.S. Air Force, which began in 2004. Air Force officials have said that their standard, secure desktop configurations cut patch time from on average of 51 days to 72 hours, and has also lowered support and security costs dramatically, says Alan Paller, director of research for the SANS Institute. FDCC was a natural progression for the feds after the Air Force's experience: "Happier users and lower costs because you don't have to do patch testing on all different configurations, and you get better security," he says.

Among the key security requirements in FDCC, aside from disabling administrative privileges, are disabling wireless network access and running Internet Explorer 7. But the biggest change with the directive will be limiting client machines to basic user privileges rather than letting them run with administrative rights, security experts say.

Leaving admin rights on a user's desktop can invite trouble, especially with today's more targeted attacks. Malware that gets on a machine can spread more readily, as well as take over the machine -- and users are free to run apps they shouldn't. Vista comes packaged with user account protection features that let users operate mundane tasks that once required admin privileges. (See The Truth About User Privileges.)

"The elimination of admin rights is really a key linchpin of this whole effort," says John Moyer, CEO of BeyondTrust, which sells least-privilege management tools. "[FDCC] really is about enforcing a standard, secure configuration, and as part of that standard is [an end user] not logging in as an administrator so you can't change all of those settings."

But SANS's Paller disagrees. "[Removing admin rights is] important, but life won't end if you have to put it off on 10 percent of your machines for a year," he says. "You can just isolate them on a subnet," for instance, he says.

The big question will be just how dropping admin rights will affect legacy applications, for instance. "There are going to be apps that don't work," especially internally developed ones, BigFix's Williams says.

And restrictions on wireless access also could pose some challenges, although experts say they're sure the feds will find a way to get their mobile users safer wireless with options such as EVDO cards, for instance.

"The problem with FDCC won't be 'is this hardened enough?'... but the productivity hit" it will incur, BigFix's Williams says.

SANS's Paller says there will be some apps that break, but that mainly will be a problem for the application developer, not the end user. "So the apps need to be changed not to require administrative rights" to run, he says.

And FDCC only addresses securely configuring desktops and laptops -- and only Windows XP and Vista ones. But security experts say they expect the feds to eventually set standard secure configurations for servers and other devices as well.

Aside from the U.S. Air Force, which stripped admin rights off of around 500,000 end-user machines, at least one other agency also has already done so prior to the FDCC requirements: The Department of Energy's National Nuclear Security Administration site in Nevada removed admin privileges from over 3,500 client machines after ditching Novell for a Windows Active Directory environment. The DOE runs BeyondTrust's Privilege Manager, which allows users to run desktop apps and perform authorized tasks without the need for admin privileges.

"The centralized management of applications, rights, and security was in question," so we went with least user privileges, says Gilroy Freeth, senior technical analyst for Spherion Services, a contractor to the DOE site.

Freeth says this helps neutralize rootkits and malware that require elevated privileges to help them do their dirty work. And since some IT group members will obviously still need admin privileges to do their jobs, their machines will be at risk for these types of client-side attacks, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • BigFix Inc.
  • The SANS Institute
  • BeyondTrust

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/27/2020
    10 iOS Security Tips to Lock Down Your iPhone
    Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
    How an Industry Consortium Can Reinvent Security Solution Testing
    Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-27
    In SmartDraw 2020, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
    PUBLISHED: 2020-05-27
    An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
    PUBLISHED: 2020-05-27
    A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
    PUBLISHED: 2020-05-27
    JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
    PUBLISHED: 2020-05-27
    JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.