Tuesday, April 06, 2010

BeyondTrust Report on Removing Administrator: Correct?

Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis. The report offers several interesting conclusions:

[R]emoving administrator rights will better protect companies against the exploitation of:

  • 90% of critical Windows 7 vulnerabilities reported to date

  • 100% of Microsoft Office vulnerabilities reported in 2009

  • 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009

  • 64% of all Microsoft vulnerabilities reported in 2009


Initially I was pleased to read these results. Then I read BeyondTrust's methodology.

This report uses information found in the individual Security Bulletins to classify vulnerabilities by Severity Rating, Vulnerability Impact, Affected Software, as well as to determine if removing administrator rights will mitigate a vulnerability. A vulnerability is considered mitigated by removing administrator rights if the following sentence is located in the Security Bulletin’s Mitigating Factors section

Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
(emphasis added)

"Could be less impacted?" In other words, BeyondTrust didn't do any testing. They just read Microsoft vulnerability reports, checked for that sentence, and published the results. I would be more comfortable with their conclusions if they conducted exploitation tests against suitable targets to determine if administrator rights made a difference or not.

This doesn't necessarily mean BeyondTrust is wrong. Removing administrator rights does help reduce exposures, but testing is required against modern exploitation methods to determine just how effective that countermeasure is.

8 comments:

krycheq said...

I think the guys on pauldotcom were ranting about this a few weeks ago in relation to the Aurora attacks... they came to the conclusion that someone at Microsoft wrote automation that changes all instances of "will" to "could".

I would ask; when did it become acceptable to have the inmates run the asylum... even to the point where BeyondTrust just statistically summarizes Microsoft's own finding?

I used to see this bumper sticker on cars now and then that said "Question Authority"... I haven't seen one of those in a long time.

Coreigh said...

In general I am in agreement with limiting user admin-rights to the workstations. However in practice I find this very problematic. Sadly this is not due to users complaining, it is due to poorly written software that requires a user to have a certain level of access to operate correctly. I know your response; 'don't use that software'. Well that is just as an idealist idea as expecting users to know better than to blindly click 'ok' on every dialog box they see.

lostzero said...

http://www.scriptlogic.com/products/privilegeauthority/

Chris Blunt (Axenic) said...

I read the report at the weekend and initially I was hopeful that I would be able to direct some of my clients to the report to encourage them to remove local administrator rights from their users. However, when I read the methodology it quickly dawned on me that I couldn’t use the information present. I guess we should be happy that the methodology was published in the report. I wonder how many people actually read and understood the implications of the methodology used on the legitimacy of the results?

Clearly BeyondTrust has an interest in the results of their study as they sell a solution to address the issue highlighted by Coreigh. It would be interesting for someone independent to repeat the study with the inclusion of exploitation testing to verify whether the removal of admin rights is actually an effective countermeasure or not.

Andrew said...

Try Privilege Guard from Avecto Ltd www.avecto.com. Its technically better than Beyondtrust and 1/2 the price. I had a look at the script logic free stuff and its pretty basic, you couldn't use it in a corporate enviroment.

gih said...

Administrator can be removed if it is not fair in administering such system.

Anonymous said...

I conducted a 60 day pilot to see how feasible it was for a team of IT XP users (approx 50) to operate with only basic or power user privileges. Out of approximately 20 issues identified there was maybe 2-3 which required vendor response. Otherwise, the majority of the problems involved users not following proper instructions for the established workaround to temporarily escalate their privilege for the required task. Cached session credentials was a big issue as well as users trying to secretly get their privileges elevated (detected by a script and auditing). Supervisor was pleasantly surpised when her attempt to install unauthorized software failed.

It's plausible but takes alot of planning and a BIG stick!

Derek Melber, MVP said...

There is nothing in the BeyondTrust report that states that they did any testing... they clearly summarized what the effects are when the user is a local admin, with regard to vulnerabilities. That is pretty clear, simple, and non-debatable.

From an admin/security/corporation standpoint, there is no question that eliminating local admin rights for end users (and even using UAC on Windows 7 for Admins/developers/helpdesk) will reduce the overall viruses, malware, adware, etc on these computers. Then, combine Windows 7 UAC with BeyondTrust Privilege Manager and you have a perfect solution for solving LUA in a corporate environment.

Yes, Avecto has a solution as well, the solution is not as proven as that by BeyondTrust (Privilege Manager has been on the market for over 5 years), it is more complex to use, and in many cases is the same cost or more expensive. Regardless, everyone should test the two solutions side-by-side when it comes time to eliminate local admin rights.

In the end, I really don't understand the overall point of bashing a report, which is clearly "on point" when it comes to local admin privileges for standard users. You might not like the way they presented the material, but there is no debate that the material is correct and accurately summarizes the results of users being local admins!