{"id":67945,"date":"2014-04-01T20:02:39","date_gmt":"2014-04-02T00:02:39","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-25T22:17:13","modified_gmt":"2021-08-26T02:17:13","slug":"limit-admin-rights-to-close-msft-holes","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/limit-admin-rights-to-close-msft-holes\/","title":{"rendered":"Limit Admin Rights to Close Microsoft Holes"},"content":{"rendered":"<p><a href=\"https:\/\/web.archive.org\/web\/20111113132702\/http:\/\/www.blackswanriskconsulting.com:80\/continuity-planning-workshop\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-107492 alignleft\" title=\"Limit Admin Rights to Close MSFT Holes\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863-150x92.jpg?resize=139%2C85&#038;ssl=1\" alt=\"Limit Admin Rights to Close MSFT Holes\" width=\"139\" height=\"85\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863.jpg?resize=150%2C92&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863.jpg?resize=75%2C46&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863.jpg?resize=768%2C473&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863.jpg?resize=1024%2C631&amp;ssl=1 1024w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863.jpg?w=1981&amp;ssl=1 1981w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863.jpg?w=960&amp;ssl=1 960w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mitigation-e1570296423863.jpg?w=1440&amp;ssl=1 1440w\" sizes=\"auto, (max-width: 139px) 100vw, 139px\" \/><\/a>It&#8217;s been <b>best practice<\/b>\u00a0for a very long time: all users and processes should <strong>run with the fewest privileges necessary<\/strong>. That means no Admin rights for users. This limits the damage that can be done by an attacker if the user or process is compromised.<\/p>\n<p><a href=\"http:\/\/www.avecto.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-107495\" title=\"Avecto logo\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/avecto_logo.jpg?resize=100%2C37&#038;ssl=1\" alt=\"Avecto logo\" width=\"100\" height=\"37\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/avecto_logo.jpg?resize=150%2C56&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/avecto_logo.jpg?resize=75%2C28&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/avecto_logo.jpg?w=298&amp;ssl=1 298w\" sizes=\"auto, (max-width: 100px) 100vw, 100px\" \/><\/a><a title=\"ZDnet\" href=\"http:\/\/www.zdnet.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>ZDNet<\/em><\/a> <a title=\"Admin rights key to mitigating vulnerabilities, study shows\" href=\"http:\/\/www.zdnet.com\/admin-rights-key-to-mitigating-vulnerabilities-study-shows-7000026428\/#ftag=RSS14dc6a9\" target=\"_blank\" rel=\"noopener noreferrer\">says<\/a> that running users without admin rights on\u00a0<a title=\"Microsoft\" href=\"http:\/\/www.microsoft.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft<\/a> (<a title=\"NASDAQ | MSFT\" href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-MSFT\/\" target=\"_blank\" rel=\"noopener noreferrer\">MSFT<\/a>) <a title=\"Windows XP won't die without a fight\" href=\"http:\/\/www.cnet.com\/news\/windows-xp-wont-die-without-a-fight\/\" target=\"_blank\" rel=\"homepage noopener noreferrer\">Windows XP<\/a> was generally impractical. It is a much more reasonable and manageable approach on <a title=\"Windows Vista\" href=\"http:\/\/en.wikipedia.org\/wiki\/Windows_Vista\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">Windows Vista<\/a>, <a title=\"3 ways to get a new Windows 7 PC in the Windows 8 era\" href=\"http:\/\/www.pcworld.com\/article\/2105765\/3-ways-to-get-a-new-windows-7-pc-in-the-windows-8-era.html\" target=\"_blank\" rel=\"noopener noreferrer\">Windows 7<\/a>, and <a title=\"Windows 8\" href=\"http:\/\/windows.microsoft.com\/en-us\/windows-8\/meet\" target=\"_blank\" rel=\"noopener noreferrer\">Windows 8<\/a>, but many organizations still run users as administrators because it makes things easier in the short term.<\/p>\n<h3>Impact of running with &#8220;least privilege&#8221;<\/h3>\n<p><em>ZDNet<\/em> cites a new study from\u00a0<a title=\"United Kingdom \" href=\"https:\/\/web.archive.org\/web\/20210102141059\/https:\/\/www.cia.gov\/library\/publications\/the-world-factbook\/geos\/uk.html\" target=\"_blank\" rel=\"economist noopener noreferrer\">UK<\/a> software company <a title=\"Avecto\" href=\"http:\/\/www.avecto.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Avecto<\/a> which demonstrates the real-world impact of running with &#8220;least privilege&#8221;. In 2013, Microsoft released 106 security bulletins and updates to address the 333 vulnerabilities identified in them. 200 of the 333 total vulnerabilities would be mitigated if the user were not running as administrator. 147 of the vulnerabilities were designated critical; 92 percent (135) of these would be mitigated.<\/p>\n<p><a title=\"Dark Reading\" href=\"https:\/\/www.darkreading.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Dark Reading<\/em><\/a> says that the Avecto results also revealed that removing admin rights would also mitigate:<\/p>\n<ul>\n<li><a href=\"https:\/\/itservices.uchicago.edu\/page\/stay-safe\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-107497 \" title=\"running with &quot;least privilege&quot;\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/laptop_locked-e1570296549681-150x75.jpg?resize=120%2C60&#038;ssl=1\" alt=\"running with &quot;least privilege&quot;\" width=\"120\" height=\"60\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/laptop_locked-e1570296549681.jpg?resize=150%2C75&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/laptop_locked-e1570296549681.jpg?resize=75%2C37&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/laptop_locked-e1570296549681.jpg?w=433&amp;ssl=1 433w\" sizes=\"auto, (max-width: 120px) 100vw, 120px\" \/><\/a>91% critical vulnerabilities affecting <a title=\"Microsoft Office\" href=\"http:\/\/office.microsoft.com\/en-us\/default.aspx\" target=\"_blank\" rel=\"homepage noopener noreferrer\">Microsoft Office<\/a>,<\/li>\n<li>96% of critical vulnerabilities affecting Windows operating systems,<\/li>\n<li>100% of vulnerabilities in <a title=\"Internet Explorer\" href=\"http:\/\/www.microsoft.com\/windows\/internet-explorer\/\" target=\"_blank\" rel=\"homepage noopener noreferrer\">Internet Explorer<\/a> and<\/li>\n<li>100% of critical remote code execution vulnerabilities.<\/li>\n<\/ul>\n<p style=\"text-align: center;\"><a href=\"https:\/\/web.archive.org\/web\/20161108054620\/http:\/\/learn.avecto.com\/2013-microsoft-vulnerabilities-report\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-107499\" title=\"Breakdown of Microsoft V\\vulnerability Impact in 2013\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Infog_Microsoft_breakdown-vulnerabilityimpact2013.jpg?resize=400%2C359&#038;ssl=1\" alt=\"Breakdown of Microsoft V\\vulnerability Impact in 2013\" width=\"400\" height=\"359\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Infog_Microsoft_breakdown-vulnerabilityimpact2013.jpg?w=522&amp;ssl=1 522w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Infog_Microsoft_breakdown-vulnerabilityimpact2013.jpg?resize=75%2C67&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Infog_Microsoft_breakdown-vulnerabilityimpact2013.jpg?resize=150%2C134&amp;ssl=1 150w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/a><\/p>\n<p>Avecto told <em>ZDNet<\/em> that non-administrator users can still be compromised, but it&#8217;s much less likely that they would be and, if they were, the impact would likely be greatly limited. Least privilege is most effective as part of a more comprehensive <a title=\"Computer security\" href=\"http:\/\/en.wikipedia.org\/wiki\/Computer_security\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">security architecture<\/a> including the prompt application of updates to patch vulnerabilities.<\/p>\n<p>Paul Kenyon, co-founder, and EVP of Avecto told <em>Dark Reading<\/em>, &#8220;This analysis focuses purely on known vulnerabilities, and cybercriminals will be quick to take advantage of bugs that are unknown to vendors. Defending against these unknown threats is difficult, but removing admin rights is the most effective way to do so.&#8221;<\/p>\n<p><strong><em>rb-<\/em><\/strong><\/p>\n<p><em>Employees with admin rights can install, modify and delete software and files as well as change system settings making more work for the help desk folks. The report demonstrates that many companies are still not fully aware of how many admin users they have and consequently face an unknown and unquantified security threat. It is also conceivable that privilege management would have made high-profile attacks such as the <a title=\"Target breach started with phishing attack on contractor, researcher alleges\" href=\"https:\/\/web.archive.org\/web\/20141004021756\/http:\/\/news.techworld.com:80\/security\/3502123\/target-breach-started-with-phishing-attack-on-contractor-researcher-alleges\/\" target=\"_blank\" rel=\"noopener noreferrer\">recent one on Target<\/a> if not impossible then much harder, by reducing the potential for the abuse of partner access, believed to have been at the heart of the breach.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Avecto says removing MSFT admin rights reduces critical vulnerabilities 91% Office 96% Windows OS 100% of IE and remote code executions<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2292,1754,1755,2072,970,2070,82,421,2071,4,11,2069,445,1756],"class_list":["post-67945","post","type-post","status-publish","format-standard","hentry","category-security","tag-2292","tag-1754","tag-1755","tag-avecto","tag-internet-explorer","tag-least","tag-microsoft","tag-msft","tag-privilege","tag-security","tag-vista","tag-vulnerability-computing","tag-windows","tag-xp"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/67945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=67945"}],"version-history":[{"count":9,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/67945\/revisions"}],"predecessor-version":[{"id":120307,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/67945\/revisions\/120307"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=67945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=67945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=67945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}