Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Blocking Windows Admin Rights Can Stop Exploits

The majority of Microsoft Windows attacks seen in 2010 would have been blocked if PCs were not running with admin-level access rights, according to security vendor BeyondTrust.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Eliminating administrator-level rights for regular users can stop the majority of Microsoft Windows attacks from being able to exploit the computer.

That's the claim of a report released by security vendor BeyondTrust. For the report, the company investigated all of the security bulletins released by Microsoft in 2010, which detailed a total of 256 vulnerabilities.

Looking at those 2010 vulnerabilities, BeyondTrust found that PCs that weren't running with administrator-level rights would have blocked 64% of all Microsoft vulnerabilities, 75% of critical Windows 7 vulnerabilities, and all Microsoft Office and IE vulnerabilities. In addition, removing administrator rights would have stopped 82% of remote code execution vulnerabilities, which enable an attacker to run arbitrary code on compromised systems.

The report points to a piece of best-practice advice that's often found in Microsoft's security bulletins. Namely, that "users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Not coincidentally, the company behind the report sells software that can monitor, restrict, or delegate access to root passwords on different operating systems. But is there merit in this approach as a technique for helping mitigate Windows vulnerabilities--and especially zero-day attacks that attempt to exploit never-before-seen bugs?

In an email interview, Jack Koziol, director of information security training firm Infosec Institute, said it's likely the report is accurate in its charting of the number of attacks that would have been blocked by restricting administrative-level access. "Many of the current exploits out there require you to have admin/system access on the exploited system," he said.

"There is a major caveat to that though," he said. "One of the primary concepts we teach in our penetration-testing class is that of privilege escalation. If you have non-root or non-administrator level access to a system, you must attempt to escalate privileges in order to access sensitive portions of the OS."

Accordingly, if attackers are gunning for a system that restricts administrative-level access, "exploitation becomes a two-step process instead of a single step," said Koziol. "First, you get a foothold on the box with regular user access, secondly you gain admin access via privilege escalation attack--perhaps via a kernel vulnerability."

Some approaches to managing administrative-level access might block these types of attacks, he said. But a more directed attack against a specific target, he said, don't discount an attacker finding a way around the defenses, for example by exploiting a kernel-level vulnerability.

Those caveats aside, for organizations that want to control admin-level access, there are multiple approaches--some free. According to a blog post by Neil MacDonald, a vice president and distinguished analyst at Gartner, free approaches include Microsoft's User Account Control--but it's only built into Windows 7 and Vista--as well as a community version of ScriptLogic. Meanwhile, commercial options for controlling admin-level access by application on "an exception by exception basis" include BeyondTrust, Avecto, Viewfinity, and Symantec/Altiris, he said.

But the best approach, said Koziol, would be to overhaul Windows. "The real solution to this problem is to re-engineer Windows to allow regular users to do everything they need without the possibility of compromising the [trusted computing base] of the OS. The last real OS to do this was VMS. After that--well, you know the story," he said.

On the other hand, client/server operating systems as well as cloud-based applications inherently prevent these types of attacks, he noted, because users are never granted access it to the trusted computing base.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).