Inadequate Security

It’s no surprise that in a recent survey of 488 IT workers, according to IT PRO, two thirds of them claim that security is not mission critical to their company. Tom Gaffney of F-Secure thinks that desktop security is a non-starter:

Gaffney expressed concerns over whether top level executives will ever recognise how important security is.

“I am very skeptical they ever will. That is the reality we have seen already in the desktop world,” he told IT PRO. “I don’t think it will be just one event that will change things.”

Desktop security IS on the agenda for companies that must adhere to regulatory requirements and for others that understand the key to preventing malware is to eliminate administrative privileges.

Secure Windows started with Vista

According to Microsoft’s Crispin Cowan, Vista Paved the Way for Secure Windows. He also notes that:

“If you are running as administrator, security is fairly hopeless," he said. Unfettered administrative rights is what allowed malware and viruses to take control of computers.

He continues:

Vista, featured a total separation between what a user can do on a machine and what an administrator can do, a separation that has always been enforced on Unix distributions. This separation, enforced by UAC, limits the damage that a user can do to a machine.

Google makes Chrome browser available as MSI file

While I still believe that Internet Explorer 8 is the right choice of browser for business use at the current time, Google has taken one step forward in making its popular Chrome browser enterprise friendly by making available an MSI installer package. Most importantly, unlike the consumer version, the MSI installs Chrome to the protected Program Files directory, making one installation of Chrome available to all users of the same system and easier to update when deployed across enterprise systems. Needless to say, an MSI file is also helpful when using Group Policy Software Installation or other enterprise-class deployment system. Download the Chrome MSI for enterprise deployment here.

You should note that at the time of writing, the MSI version of Chrome is a beta of version 6.

Book Review: Least Privilege Security for Windows 7,Vista and XP

Least Privilege Security for Windows 7,Vista and XP gets its first review here at Group Policy Center.

In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies.  But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.

The review continues:

I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.

Microsoft Security Advisory (2286198) - Vulnerability in Windows Shell Could Allow Remote Code Execution

The Windows shortcut vulnerability is generating a lot of interest in the blogosphere, and rightly so. Described in more detail here, attackers can place a malformed shortcut to a malicious executable that will automatically run when the folder is viewed in IE or Windows Explorer. The shortcut and binary can be placed locally, on a USB drive for instance, or hosted on a web server.

Microsoft notes in its advisory, as is often the case, that use of least privilege security can reduce the severity of a successful attack:

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

While Microsoft doesn’t specifically mention it in the security advisory, it’s also possible that having a whitelist of allowed applications, enforced using Software Restriction Policy or AppLocker, will reduce the likelihood of a successful attack.

Should Windows users have full administrative rights?

In his Techtarget article, Kevin Beaver discusses the need for least privilege security while acknowledging the challenges of implementation.

Personally, I have mixed feelings regarding the scenario. On one hand, I'm for balancing security with usability. Give users what they need and get out of their way. It's one of the least-touted principles of information security, but one that can go a long way to making security work for you rather than against you.

But as we know, giving users full control is also a recipe for disaster:

On the other hand, I understand that users cannot be trusted. Be it malice or ignorance, the average user can and will get themselves, their computers and potentially your network in a bind.

One area where I’d tend to disagree with the article, is that giving users administrative rights doesn’t necessarily reduce helpdesk calls, if system configuration is well planned.

Administrators want their users to have the access and privileges they need because it reduces the number of help desk calls and lightens their own workload.

He concludes by suggesting that you should solve the problem by seeking people with experience and use a mixture of Microsoft and 3rd party solutions:

Get input from others who have experience, research third-party vendors or try to find some workarounds with what Microsoft already gives you.

Avecto Regulatory Compliance and Least Privilege Security whitepaper

My recent whitepaper for Avecto is now available at their website with information about the part least privilege security plays in achieving regulatory compliance. The whitepaper discusses the concept of least privilege security for personal computers, why it’s needed to meet requirements set out by regulatory bodies and how to overcome problems in its implementation. Download it here.