BeyondTrust Report on Removing Administrator: Correct?

Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis. The report offers several interesting conclusions:

[R]emoving administrator rights will better protect companies against the exploitation of:

  • 90% of critical Windows 7 vulnerabilities reported to date

  • 100% of Microsoft Office vulnerabilities reported in 2009

  • 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009

  • 64% of all Microsoft vulnerabilities reported in 2009


Initially I was pleased to read these results. Then I read BeyondTrust's methodology.

This report uses information found in the individual Security Bulletins to classify vulnerabilities by Severity Rating, Vulnerability Impact, Affected Software, as well as to determine if removing administrator rights will mitigate a vulnerability. A vulnerability is considered mitigated by removing administrator rights if the following sentence is located in the Security Bulletin’s Mitigating Factors section

Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (emphasis added)

"Could be less impacted?" In other words, BeyondTrust didn't do any testing. They just read Microsoft vulnerability reports, checked for that sentence, and published the results. I would be more comfortable with their conclusions if they conducted exploitation tests against suitable targets to determine if administrator rights made a difference or not.

This doesn't necessarily mean BeyondTrust is wrong. Removing administrator rights does help reduce exposures, but testing is required against modern exploitation methods to determine just how effective that countermeasure is.

Comments

krycheq said…
I think the guys on pauldotcom were ranting about this a few weeks ago in relation to the Aurora attacks... they came to the conclusion that someone at Microsoft wrote automation that changes all instances of "will" to "could".

I would ask; when did it become acceptable to have the inmates run the asylum... even to the point where BeyondTrust just statistically summarizes Microsoft's own finding?

I used to see this bumper sticker on cars now and then that said "Question Authority"... I haven't seen one of those in a long time.
11:12 AM
Unknown said…
In general I am in agreement with limiting user admin-rights to the workstations. However in practice I find this very problematic. Sadly this is not due to users complaining, it is due to poorly written software that requires a user to have a certain level of access to operate correctly. I know your response; 'don't use that software'. Well that is just as an idealist idea as expecting users to know better than to blindly click 'ok' on every dialog box they see.
11:19 AM
lostzero said…
http://www.scriptlogic.com/products/privilegeauthority/
4:47 PM
Chris Blunt (Axenic) said…
I read the report at the weekend and initially I was hopeful that I would be able to direct some of my clients to the report to encourage them to remove local administrator rights from their users. However, when I read the methodology it quickly dawned on me that I couldn’t use the information present. I guess we should be happy that the methodology was published in the report. I wonder how many people actually read and understood the implications of the methodology used on the legitimacy of the results?

Clearly BeyondTrust has an interest in the results of their study as they sell a solution to address the issue highlighted by Coreigh. It would be interesting for someone independent to repeat the study with the inclusion of exploitation testing to verify whether the removal of admin rights is actually an effective countermeasure or not.
3:35 AM
Andrew said…
Try Privilege Guard from Avecto Ltd www.avecto.com. Its technically better than Beyondtrust and 1/2 the price. I had a look at the script logic free stuff and its pretty basic, you couldn't use it in a corporate enviroment.
3:41 AM
gih said…
Administrator can be removed if it is not fair in administering such system.
5:26 AM
Anonymous said…
I conducted a 60 day pilot to see how feasible it was for a team of IT XP users (approx 50) to operate with only basic or power user privileges. Out of approximately 20 issues identified there was maybe 2-3 which required vendor response. Otherwise, the majority of the problems involved users not following proper instructions for the established workaround to temporarily escalate their privilege for the required task. Cached session credentials was a big issue as well as users trying to secretly get their privileges elevated (detected by a script and auditing). Supervisor was pleasantly surpised when her attempt to install unauthorized software failed.

It's plausible but takes alot of planning and a BIG stick!
1:32 PM
Derek Melber, MVP said…
There is nothing in the BeyondTrust report that states that they did any testing... they clearly summarized what the effects are when the user is a local admin, with regard to vulnerabilities. That is pretty clear, simple, and non-debatable.

From an admin/security/corporation standpoint, there is no question that eliminating local admin rights for end users (and even using UAC on Windows 7 for Admins/developers/helpdesk) will reduce the overall viruses, malware, adware, etc on these computers. Then, combine Windows 7 UAC with BeyondTrust Privilege Manager and you have a perfect solution for solving LUA in a corporate environment.

Yes, Avecto has a solution as well, the solution is not as proven as that by BeyondTrust (Privilege Manager has been on the market for over 5 years), it is more complex to use, and in many cases is the same cost or more expensive. Regardless, everyone should test the two solutions side-by-side when it comes time to eliminate local admin rights.

In the end, I really don't understand the overall point of bashing a report, which is clearly "on point" when it comes to local admin privileges for standard users. You might not like the way they presented the material, but there is no debate that the material is correct and accurately summarizes the results of users being local admins!
8:21 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more