BeyondTrust Report on Removing Administrator: Correct?
Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis. The report offers several interesting conclusions:
[R]emoving administrator rights will better protect companies against the exploitation of:
Initially I was pleased to read these results. Then I read BeyondTrust's methodology.
This report uses information found in the individual Security Bulletins to classify vulnerabilities by Severity Rating, Vulnerability Impact, Affected Software, as well as to determine if removing administrator rights will mitigate a vulnerability. A vulnerability is considered mitigated by removing administrator rights if the following sentence is located in the Security Bulletin’s Mitigating Factors section
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (emphasis added)
"Could be less impacted?" In other words, BeyondTrust didn't do any testing. They just read Microsoft vulnerability reports, checked for that sentence, and published the results. I would be more comfortable with their conclusions if they conducted exploitation tests against suitable targets to determine if administrator rights made a difference or not.
This doesn't necessarily mean BeyondTrust is wrong. Removing administrator rights does help reduce exposures, but testing is required against modern exploitation methods to determine just how effective that countermeasure is.
[R]emoving administrator rights will better protect companies against the exploitation of:
- 90% of critical Windows 7 vulnerabilities reported to date
- 100% of Microsoft Office vulnerabilities reported in 2009
- 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009
- 64% of all Microsoft vulnerabilities reported in 2009
Initially I was pleased to read these results. Then I read BeyondTrust's methodology.
This report uses information found in the individual Security Bulletins to classify vulnerabilities by Severity Rating, Vulnerability Impact, Affected Software, as well as to determine if removing administrator rights will mitigate a vulnerability. A vulnerability is considered mitigated by removing administrator rights if the following sentence is located in the Security Bulletin’s Mitigating Factors section
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (emphasis added)
"Could be less impacted?" In other words, BeyondTrust didn't do any testing. They just read Microsoft vulnerability reports, checked for that sentence, and published the results. I would be more comfortable with their conclusions if they conducted exploitation tests against suitable targets to determine if administrator rights made a difference or not.
This doesn't necessarily mean BeyondTrust is wrong. Removing administrator rights does help reduce exposures, but testing is required against modern exploitation methods to determine just how effective that countermeasure is.
Comments
I would ask; when did it become acceptable to have the inmates run the asylum... even to the point where BeyondTrust just statistically summarizes Microsoft's own finding?
I used to see this bumper sticker on cars now and then that said "Question Authority"... I haven't seen one of those in a long time.
Clearly BeyondTrust has an interest in the results of their study as they sell a solution to address the issue highlighted by Coreigh. It would be interesting for someone independent to repeat the study with the inclusion of exploitation testing to verify whether the removal of admin rights is actually an effective countermeasure or not.
It's plausible but takes alot of planning and a BIG stick!
From an admin/security/corporation standpoint, there is no question that eliminating local admin rights for end users (and even using UAC on Windows 7 for Admins/developers/helpdesk) will reduce the overall viruses, malware, adware, etc on these computers. Then, combine Windows 7 UAC with BeyondTrust Privilege Manager and you have a perfect solution for solving LUA in a corporate environment.
Yes, Avecto has a solution as well, the solution is not as proven as that by BeyondTrust (Privilege Manager has been on the market for over 5 years), it is more complex to use, and in many cases is the same cost or more expensive. Regardless, everyone should test the two solutions side-by-side when it comes time to eliminate local admin rights.
In the end, I really don't understand the overall point of bashing a report, which is clearly "on point" when it comes to local admin privileges for standard users. You might not like the way they presented the material, but there is no debate that the material is correct and accurately summarizes the results of users being local admins!