Thursday 22 July 2010

Microsoft Security Advisory (2286198) - Vulnerability in Windows Shell Could Allow Remote Code Execution

The Windows shortcut vulnerability is generating a lot of interest in the blogosphere, and rightly so. Described in more detail here, attackers can place a malformed shortcut to a malicious executable that will automatically run when the folder is viewed in IE or Windows Explorer. The shortcut and binary can be placed locally, on a USB drive for instance, or hosted on a web server.

Microsoft notes in its advisory, as is often the case, that use of least privilege security can reduce the severity of a successful attack:

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

While Microsoft doesn’t specifically mention it in the security advisory, it’s also possible that having a whitelist of allowed applications, enforced using Software Restriction Policy or AppLocker, will reduce the likelihood of a successful attack.

Should Windows users have full administrative rights?

In his Techtarget article, Kevin Beaver discusses the need for least privilege security while acknowledging the challenges of implementation.

Personally, I have mixed feelings regarding the scenario. On one hand, I'm for balancing security with usability. Give users what they need and get out of their way. It's one of the least-touted principles of information security, but one that can go a long way to making security work for you rather than against you.

But as we know, giving users full control is also a recipe for disaster:

On the other hand, I understand that users cannot be trusted. Be it malice or ignorance, the average user can and will get themselves, their computers and potentially your network in a bind.

One area where I’d tend to disagree with the article, is that giving users administrative rights doesn’t necessarily reduce helpdesk calls, if system configuration is well planned.

Administrators want their users to have the access and privileges they need because it reduces the number of help desk calls and lightens their own workload.

He concludes by suggesting that you should solve the problem by seeking people with experience and use a mixture of Microsoft and 3rd party solutions:

Get input from others who have experience, research third-party vendors or try to find some workarounds with what Microsoft already gives you.

Wednesday 21 July 2010

Avecto Regulatory Compliance and Least Privilege Security whitepaper

My recent whitepaper for Avecto is now available at their website with information about the part least privilege security plays in achieving regulatory compliance. The whitepaper discusses the concept of least privilege security for personal computers, why it’s needed to meet requirements set out by regulatory bodies and how to overcome problems in its implementation. Download it here.

Tuesday 20 July 2010

Lifehacker encourages users to circumvent IT policy

58FCH4CHJVCA Just in case you thought your users weren’t trying to outwit you, Lifehacker has reposted a link to their Survive IT Lockdown piece in Top 10 Tips for Surviving Office Life.

Get Around or Work Beyond Lame IT Restrictions

Some companies have a certain set of computer apps they want their employees to work inside, and nothing more. Gina's previously recommended USB thumb drive apps and some other clever tactics to survive IT lockdown, but for those stuck in the browser race with Internet Explorer, we've also offered up our guide to getting Firefox's best features in Internet Explorer.

Monday 19 July 2010

IT Pros discuss least-privilege security

Coalface Tech Podcast Episode 6 looks at the issues surrounding desktop security and includes plenty of interesting views on dealing with least privilege.

Desktop security - whose responsibility is it anyway? Who cares? What tools? What about the edge?