Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Ignoring application privileges has proved hugely risky. The tools now exist to put that right.

October 20, 2017

  • Blog
  • Archive

There can’t be a crazier unplanned wrinkle in the history of desktop computing than the way that the rise of the Windows PCs and client-server applications gradually turned ordinary PC users into reluctant software administrators.

PC users were suddenly put in charge of applications, sometimes with full admin rights. This was good because users were assumed to be a force for change and needed control to allow the client-server and PC movement to overthrow the dusty rooms full of green screens and Cobol coders of pre-Internet times.

Such naive idealism is long gone now but, incredibly, the Windows world has struggled to patch up the mistake, first asking developers to stop building applications that demanded admin rights to work and more recently (when this proved unworkable) by imposing controls such as User Access Control (UAC) in Vista.

This is better than a free-for-all but it begs the question of where lines get drawn. How are application privileges elevated and when is that deigned to be a good idea? Often it might seem easier just to lock down all privileges but that brings problems of its own in the form of an energy-sapping barrage of UAC requests.

So what, then, are the downsides of simply persisting with poor or no application management?

Application privileges pose a hazard on three broad fronts, starting quite simply with the way they are routinely exploited by malware to gain control of a victim’s PC, often using quite basic social engineering attacks.

A second is that employees abuse application privileges either to reconfigure or install applications and plug-ins that a business would rather they did not or, in extreme cases, to deliberately bypass security for ulterior reasons.

Both of these are caused by a failure to restrict applications privileges, but it can work the other way when too many application privileges are removed, using what application controls do exist as blunt instruments Organizations also suffer, often without realizing it, when staff can’t access applications legitimately because restrictions have been set too tightly.

All three create problems that are hard to quantify and very easy to underestimate. Malware is often theoretical until it strikes and when it does the key role played by privilege escalation in particular is not necessarily realized.

Likewise, where application access has become a hassle for employees this can be hidden behind a wall of silence. Staff might simply shrug and accept the issue as ‘part of the way IT works’ and so management never has to confront the hidden toll on productivity.

Today, for the first time organizations have a way of fighting back with application management. Admins can define which applications get run (and which don’t) using the principle of least privilege, sandboxing legacy applications that need admin rights while allowing users to carry out harmless reconfigurations for themselves. Every action becomes part of an audit trail, giving admins insight into application use.

Had developers from the pre-Internet age had any inkling of the security risks they were taking they’d have no doubt designed in this layer of adult application control from the start, but such is hindsight. Today, no application should be considered secure or productive without it.

John Dunn

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.