Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Least-Privilege Technology Still Swimming Upstream, But Making Progress

Fundamental shift in endpoint security might be easier with rollout of Windows 7, experts say

The least-privilege security model is one of the oldest and best-known endpoint strategies in the industry. It has the support -- at least on paper -- of Microsoft, and products for implementing it have been available for years. Yet so far, researchers estimate that only 20 percent of corporate endpoints are using those technologies.

So what's everybody waiting for?

For those who came in late, the least-privilege concept was developed in military circles more than a decade ago. Put simply, it states that people -- and their PCs -- should be given access only to information (and software) they expressly need to do their jobs. It's basically the "need to know" concept applied to computers -- each endpoint starts with no access and no administrative rights, and access to applications and data is given only when the end user is deemed to have a need for it.

On paper, the least-privilege concept appears ideal for the business environment, where many security breaches are caused by end users who accidentally leak data or hackers who exploit Windows administrative rights. Microsoft has lent its support to the least-privilege concept with the development of User Access Control (UAC), which creates "standard user rights" on end stations, eliminating the default administrative rights that previously characterized most Windows deployments.

In practice, however, only a small percentage of PCs currently use least-privilege technology. Analysts and other experts point to three chief inhibitors to its deployment: technology, complexity, and culture.

The first problem -- technology -- has to do with Windows itself. In the past, Windows has always granted the user administrative rights as a default, and therefore many applications developers have created software that uses those rights. Intuit QuickBooks, for example, offers several features that rely on administrative privileges, and the program wouldn't work properly if those rights were not there. Many other applications, particularly industry-specific and home-grown apps, also require admin privileges to operate.

"The biggest reason why least-privilege technology hasn't caught on is because of the applications that require admin rights in order to work," says Scott McCarley, director of marketing at BeyondTrust, a security software vendor that specializes in least-privilege. "If you've got programs that won't work without those rights, you're in a tough spot."

BeyondTrust, which works closely with Microsoft, has developed a tool called Privilege Manager, which enables the PC to access administrative rights when it needs them to operate a specific application or task -- and keeps those rights restricted the rest of the time. Of the 20 percent of end stations that currently use least-privilege, many are running the BeyondTrust software, and the company doubled its sales last year.

BeyondTrust maintains that many of today's most popular hacks would be impossible on Windows computers that don't have administrative rights. In a study conducted earlier this year, the company found that of all the vulnerabilities Microsoft labeled as "critical" in 2008, some 92 percent exploited administrative privileges in some fashion.

"Implement least-privilege without admin rights, and 92 percent of those vulnerabilities would have been mitigated," McCarley said. "That's a big step in the right direction."

But analysts say the second inhibitor -- complexity -- still stands in the way of implementation. "[Least-privilege] is a very effective control, but nearly impossible to implement on Windows XP," says Rich Mogull, founder of Securosis, a security consulting firm. "You can do it, but it's pretty hard and has a high impact on the user experience. Thus we see organizations focusing on [Group Policy Objects] and third-party security tools, since dropping to regular user permissions is so disruptive."

In an 2008 interview, Bill Jensen, a product marketing manager at Check Point, said complexity is the chief reason why least-privilege technology hasn't taken off.

"Unfortunately, there are always bugs, even at the kernel level, that can potentially circumvent security privileges," Jensen said. "Least-privilege means defining an individualized security policy for every single person or application. This is, well, nigh impossible."

For this reason, Check Point advocates the use of "default deny" technology that is implemented, not surprisingly, in the firewall. But McCarley says default deny is too restrictive, and doesn't solve the admin rights problem. This argument -- which basicially boils down to whether access rights should be defined in the network or at the endpoint -- adds another level of complexity to the discussion, and makes IT people even more reluctant to implement least-privilege technology.

Many enterprises are solving the problem by leaving administrative rights in their Windows machines, but severely restricting users' ability to access them, Mogull says. But with the rollout of Windows 7, Microsoft will make UAC and standard configurations part of the OS, and that will make the least-privilege concept much easier to deploy, he notes. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5292
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
CVE-2020-7009
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2019-13495
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
CVE-2020-5291
PUBLISHED: 2020-03-31
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...
CVE-2019-14905
PUBLISHED: 2020-03-31
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...