Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:35 AM
Connect Directly

Feds Say 'Adios' to Admin Rights on Windows

The Federal Desktop Core Configuration mandate for Windows XP and Vista clients goes into effect on February 1

Windows desktop administrative rights soon will become a thing of the past for most federal users, as the U.S. government's Federal Desktop Core Configuration (FDCC) directive takes effect on February 1.

FDCC is the new set of standard security configuration guidelines for all federal agencies that run or plan to run Windows XP and Windows Vista desktops or laptops. Contractors' Windows client machines that run on federal networks also fall under FDCC, and IT product vendors selling products with these OSes also must configure them to the FDCC specifications.

"This is definitely a move in the right direction. Even with the increase in stealthy attacks, 90 percent of attacks are still using known vulnerabilities" and many agencies aren't keeping up with those vulnerabilities, says Amrit Williams, CTO of BigFix. "This will let them assess their [desktop] environments against those configurations, then enforce them, and remediate machines."

FDCC follows a similar initiative by the U.S. Air Force, which began in 2004. Air Force officials have said that their standard, secure desktop configurations cut patch time from on average of 51 days to 72 hours, and has also lowered support and security costs dramatically, says Alan Paller, director of research for the SANS Institute. FDCC was a natural progression for the feds after the Air Force's experience: "Happier users and lower costs because you don't have to do patch testing on all different configurations, and you get better security," he says.

Among the key security requirements in FDCC, aside from disabling administrative privileges, are disabling wireless network access and running Internet Explorer 7. But the biggest change with the directive will be limiting client machines to basic user privileges rather than letting them run with administrative rights, security experts say.

Leaving admin rights on a user's desktop can invite trouble, especially with today's more targeted attacks. Malware that gets on a machine can spread more readily, as well as take over the machine -- and users are free to run apps they shouldn't. Vista comes packaged with user account protection features that let users operate mundane tasks that once required admin privileges. (See The Truth About User Privileges.)

"The elimination of admin rights is really a key linchpin of this whole effort," says John Moyer, CEO of BeyondTrust, which sells least-privilege management tools. "[FDCC] really is about enforcing a standard, secure configuration, and as part of that standard is [an end user] not logging in as an administrator so you can't change all of those settings."

But SANS's Paller disagrees. "[Removing admin rights is] important, but life won't end if you have to put it off on 10 percent of your machines for a year," he says. "You can just isolate them on a subnet," for instance, he says.

The big question will be just how dropping admin rights will affect legacy applications, for instance. "There are going to be apps that don't work," especially internally developed ones, BigFix's Williams says.

And restrictions on wireless access also could pose some challenges, although experts say they're sure the feds will find a way to get their mobile users safer wireless with options such as EVDO cards, for instance.

"The problem with FDCC won't be 'is this hardened enough?'... but the productivity hit" it will incur, BigFix's Williams says.

SANS's Paller says there will be some apps that break, but that mainly will be a problem for the application developer, not the end user. "So the apps need to be changed not to require administrative rights" to run, he says.

And FDCC only addresses securely configuring desktops and laptops -- and only Windows XP and Vista ones. But security experts say they expect the feds to eventually set standard secure configurations for servers and other devices as well.

Aside from the U.S. Air Force, which stripped admin rights off of around 500,000 end-user machines, at least one other agency also has already done so prior to the FDCC requirements: The Department of Energy's National Nuclear Security Administration site in Nevada removed admin privileges from over 3,500 client machines after ditching Novell for a Windows Active Directory environment. The DOE runs BeyondTrust's Privilege Manager, which allows users to run desktop apps and perform authorized tasks without the need for admin privileges.

"The centralized management of applications, rights, and security was in question," so we went with least user privileges, says Gilroy Freeth, senior technical analyst for Spherion Services, a contractor to the DOE site.

Freeth says this helps neutralize rootkits and malware that require elevated privileges to help them do their dirty work. And since some IT group members will obviously still need admin privileges to do their jobs, their machines will be at risk for these types of client-side attacks, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • BigFix Inc.
  • The SANS Institute
  • BeyondTrust

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-07
    The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, C...
    PUBLISHED: 2021-05-07
    The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK v...
    PUBLISHED: 2021-05-07
    Proofpoint Enterprise Protection (PPS/PoD) before 8.17.0 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. The vulnerability exists because messages with certain crafted and malformed multipar...
    PUBLISHED: 2021-05-07
    VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.
    PUBLISHED: 2021-05-07
    LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.