I recently waded into a debate about whether people in an organization should be given local administrator access to their machines.
Now firstly, this violates the principle of least privilege, which is what all of security is based on. You don't get it unless you need it; you get the minimal privilege necessary to do your job. Imagine if cashiers could withdraw from the company account, if untrained boot camp grads were given missile launch keys, and if spies told their families everything. Security doesn't work that way.
Still, it got debated, and someone finally asked what specific dangers they were putting their network in by giving certain people local admin rights.
It's not a simple question, but I've come up with some examples.
Firstly, how does granting admin rights hurt a computer?
- In Windows XP, programs are run with full user privileges at all times. This means that when a user with admin rights is reading email and browsing the Internet, it's very easy for a Flash applet, infected JPEG, or PDF attachment to execute and instantly own the entire machine with the full force of administrative rights.
- In Windows Vista and 7, there is the User Account Control security mechanism which separates a user's normal privileges from administrator privileges. However, there have been ways to bypass the UAC released every few months (and that's just publicly).
- This is all not to mention users' tendency to click the OK button despite not fully knowing what they're about to do, plus how often users install things from untrusted sources. All malware needs to do is pretend to be a desirable video and then claim you need to install a plugin to see it, and users will bend heaven and earth trying to bypass security.
- It's true that some damage can occur even without admin rights, and with fully patched software and antivirus. For example, adware that convinces users to spend money or spyware that extracts sensitive information. Still, the scope of infection is minimal even if the impact is great; it generally only affects that users' account on that system, and antivirus software remains an effective detection and removal method.
Unfortunately, the only reliable way I know of to prevent these scenarios is to separate the duties between two people. Just like in accounting and in missiles, in order to prevent bad stuff from happening sometimes you need to make it hard by requiring another person get involved. Prevent the end-user from installing stuff, require an admin to install it for them. Remember that you're a user too; it's not a bad idea to put obstacles between you and installing stuff willy-nilly.
I can't tell you how many times a user has asked me to install something questionable and I've been able to avert a problem by suggesting an alternative. Or, at the very least, I've been able to document what I've installed to minimize support issues later.
Now, what's the real risk to your bottom line if malware gets local admin rights?
- If it can modify the Windows or Program Files folders, it can embed itself deeply in the system making removal much more difficult compared to a simple removal of some files in the user's home folder or their section of the registry.
- If it can change permissions or take ownership of files, folders, or registry keys, it can do all the below.
- If it can install, modify or remove anti-virus programs, then your anti-virus is useless.
- If it can modify the registry, start menu, or task scheduler, it can have bad stuff run 24/7 despite shutdown.
- If it can install drivers, it can use that computer as if it were a hacker's laptop, launching any kind of attack it wants; man-in-the-middle attacks, sniffing, brute forcing, sending spam, and all forms of remote exploits including infecting other machines.
- Installing keyloggers and remote-access software is trivial, so all information accessed and passwords typed in to that computer are compromised.
- If it can access the contents of the C:WindowsSystem32config folder, it can read the SAM and SECURITY files which contain the encrypted passwords of all local accounts. It can then start decrypting those passwords.
- If it can access the registry keys underneath HKEY_LOCAL_MACHINESECURITYCache, it can read the cached domain credentials of any domain account that has logged into it recently, decrypt those passwords and proceed to own your whole domain. When's the last time you logged into a user's computer as a domain admin?
- If it can modify the event log, it can hide its tracks.
To recap, that's 3 bullet points that result in the total ownage of your whole network, plus a bunch of other bullet points that make your life miserable. Keep in mind that any decently advanced malware won't make its presence known, so you could be giving the Mafia a reliable proxy, intellectual property thieves a bunch of corporate info, financial thieves tons of SSNs and credit card or bank info, spammers a pristine netblock, pirates a new haven for their files, or extortionists a new botnet to wield as a weapon, for years without knowing it.
Nobody should be reading email and browsing the web with local admin rights. Not even sysadmins. Make a separate admin account. Next to keeping your software patched, it's the single most effective defense your network has; firewalls and antivirus be damned.
See my follow-up post, How Do I Grant Least Privilege, or I Think Someone Needs Admin Rights