Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:35 AM
Connect Directly

Feds Say 'Adios' to Admin Rights on Windows

The Federal Desktop Core Configuration mandate for Windows XP and Vista clients goes into effect on February 1

Windows desktop administrative rights soon will become a thing of the past for most federal users, as the U.S. government's Federal Desktop Core Configuration (FDCC) directive takes effect on February 1.

FDCC is the new set of standard security configuration guidelines for all federal agencies that run or plan to run Windows XP and Windows Vista desktops or laptops. Contractors' Windows client machines that run on federal networks also fall under FDCC, and IT product vendors selling products with these OSes also must configure them to the FDCC specifications.

"This is definitely a move in the right direction. Even with the increase in stealthy attacks, 90 percent of attacks are still using known vulnerabilities" and many agencies aren't keeping up with those vulnerabilities, says Amrit Williams, CTO of BigFix. "This will let them assess their [desktop] environments against those configurations, then enforce them, and remediate machines."

FDCC follows a similar initiative by the U.S. Air Force, which began in 2004. Air Force officials have said that their standard, secure desktop configurations cut patch time from on average of 51 days to 72 hours, and has also lowered support and security costs dramatically, says Alan Paller, director of research for the SANS Institute. FDCC was a natural progression for the feds after the Air Force's experience: "Happier users and lower costs because you don't have to do patch testing on all different configurations, and you get better security," he says.

Among the key security requirements in FDCC, aside from disabling administrative privileges, are disabling wireless network access and running Internet Explorer 7. But the biggest change with the directive will be limiting client machines to basic user privileges rather than letting them run with administrative rights, security experts say.

Leaving admin rights on a user's desktop can invite trouble, especially with today's more targeted attacks. Malware that gets on a machine can spread more readily, as well as take over the machine -- and users are free to run apps they shouldn't. Vista comes packaged with user account protection features that let users operate mundane tasks that once required admin privileges. (See The Truth About User Privileges.)

"The elimination of admin rights is really a key linchpin of this whole effort," says John Moyer, CEO of BeyondTrust, which sells least-privilege management tools. "[FDCC] really is about enforcing a standard, secure configuration, and as part of that standard is [an end user] not logging in as an administrator so you can't change all of those settings."

But SANS's Paller disagrees. "[Removing admin rights is] important, but life won't end if you have to put it off on 10 percent of your machines for a year," he says. "You can just isolate them on a subnet," for instance, he says.

The big question will be just how dropping admin rights will affect legacy applications, for instance. "There are going to be apps that don't work," especially internally developed ones, BigFix's Williams says.

And restrictions on wireless access also could pose some challenges, although experts say they're sure the feds will find a way to get their mobile users safer wireless with options such as EVDO cards, for instance.

"The problem with FDCC won't be 'is this hardened enough?'... but the productivity hit" it will incur, BigFix's Williams says.

SANS's Paller says there will be some apps that break, but that mainly will be a problem for the application developer, not the end user. "So the apps need to be changed not to require administrative rights" to run, he says.

And FDCC only addresses securely configuring desktops and laptops -- and only Windows XP and Vista ones. But security experts say they expect the feds to eventually set standard secure configurations for servers and other devices as well.

Aside from the U.S. Air Force, which stripped admin rights off of around 500,000 end-user machines, at least one other agency also has already done so prior to the FDCC requirements: The Department of Energy's National Nuclear Security Administration site in Nevada removed admin privileges from over 3,500 client machines after ditching Novell for a Windows Active Directory environment. The DOE runs BeyondTrust's Privilege Manager, which allows users to run desktop apps and perform authorized tasks without the need for admin privileges.

"The centralized management of applications, rights, and security was in question," so we went with least user privileges, says Gilroy Freeth, senior technical analyst for Spherion Services, a contractor to the DOE site.

Freeth says this helps neutralize rootkits and malware that require elevated privileges to help them do their dirty work. And since some IT group members will obviously still need admin privileges to do their jobs, their machines will be at risk for these types of client-side attacks, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • BigFix Inc.
  • The SANS Institute
  • BeyondTrust

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-18
    In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
    PUBLISHED: 2019-10-18
    In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
    PUBLISHED: 2019-10-18
    OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
    PUBLISHED: 2019-10-18
    The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
    PUBLISHED: 2019-10-18
    ** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...