Update – Based on feedback, I failed to distinguish that I’m referring to normal users running as admin. Sysadmins and domain admins definitely shouldn’t be running with their admin privileges except for when they need them. As you can read in the comments, that’s a huge risk.
When I was reviewing Mike’s FireStarter on yanking admin rights from users, it got me thinking on whether admin rights really matter at all.
Yes, I realize this is a staple of security dogma, but I think the value of admin rights is completely overblown due to two reasons:
- There are plenty of bad things an attacker can do in userland without needing admin rights. You can still install malware and access everything the user can.
- Lack of admin privileges is little more than a speed bump (if even that) for many kinds of memory corruption attacks. Certain buffer overflows and other attacks that directly manipulate memory can get around rights restrictions and run as root, admin, or worse. For example, if you exploit a kernel flaw with a buffer overflow (including flaws in device drivers) you are running in Ring 0 and fully trusted, no matter what privilege level the user was running as. If you read through the vulnerability updates on various platforms (Mac, PC, whatever), there are always a bunch of attacks that still work without admin rights.
I’m also completely ignoring privilege escalation attacks, but we all know they tend to get patched at a slower pace than remote exploitation vulnerabilities.
This isn’t to say that removal of admin rights is completely useless – it’s very useful to keep users from mucking up your desktop images – but from a defensive standpoint, I don’t think restricting user rights is nearly as effective as is often claimed.
My advice? Do not rely on standard user mode as a security defense. It’s useful for locking down users, but has only limited effectiveness for stopping attacks. When you evaluate pulling admin rights, don’t think it will suddenly eliminate the need for other standard endpoint security controls.
Reader interactions
8 Replies to “Counterpoint: Admin Rights Don’t Matter the Way You Think They Do”
I completely agree with you that limited accounts are not the be-all / end-all of security. I’ve made a small demo some time ago about what a malicious program could do under a Windows 7 limited account: http://hype-free.blogspot.com/2009/07/what-can-malicious-program-do-under.html
However (I wish I could make the following statement bold): don’t get the perfect be the enemy of good! The fact is (talking as an ex-senior malware analyst) that upwards of 90% of malware expects administrative privileges and they don’t have it, they will fail. As long as most of the people run as Admin, those who don’t have a serious advantage!
ds- I’m updating the post to reflect this. Never thought about it that way and great catch.
Hey Michael,
I was referring more to regular users running as admin, not superusers. Clearly I agree that domain admin is a different beast. I personally don’t run as admin when I connect to my servers, and have to physically log onto the server to access most admin tools.
My experience on the issue lends me to believe otherwise. I have seen it done both ways. It seems to me that the companies who restrict admin rights have far fewer headaches in general, downtime, malware infections and even software licensing issues.
To put this into perspective, I recently handled an incident where a domain admin clicked on a nasty and infected over 200 desktops. There were no AV definitions for this threat at the time. It took about a month to fully eradicate the infection from all machines. Just when we thought we had it all, another one would pop up. It was no more than a bother really, but it was time spent that could have gone to another security task.
Had the user not been logged in with admin, this wouldn’t have happened.
Just another perspective, that’s all.
I think that this post is dangerous. While many will understand the difference between removing admin rights from a desktop for the user and restricting/managing admin rights for sysadmins, the distinction isn’t explicitly stated, and some may take this to mean dealing with admin rights isn’t necessary as a blanket statement.
I would agree completely with your comments above regarding the minute impact on overall security pulling admin rights has. However, you are missing the one key component in which pulling these rights does assist with, standardization. Pulling local admin rights from users stops users from installing non “company” compliant software, which in turn allows IT to manage a software portfolio that they are aware of and can maintain. From a security perspective this also reduces the number of software titles that need to be patched, which leads to a reduced exposure to software vulnerabilities. It is not an end all solution but consistency and standardization definitely help.
I end up explaining this quite a bit in my career. It’s the user data that’s valuable. Additionally, if people have a poor patch management program, no admin rights (or a “you can use a separate account for installs) prevents several autoupdaters from executing
I agree with this Rich. The Firestarter was certainly not meant to intimate that by pulling admin rights from all users that all security problems are miraculously solved. I don’t think I did that, but as I document the endpoint security tactics over the next few weeks (in the upcoming Endpoint Security Fundamentals series), it will become much more clear about the level and depth of controls required to protect the endpoints.
Suffice it to say pulling admin rights is one control. So is user lockdown. As well as pen testing/social engineering, secure configurations, patch management, anti-malware and a host of other things that should be done.