There is no denying that Microsoft Windows has a clear market advantage when it comes to their IT ecosystems. No other vendor has produced a successful server and desktop operating system pair that excels in compatibility, authentication, productivity, and architecture, and there are clear benefits to having an integrated desktop and server architecture that is based on the same underlying platform.
Microsoft solutions, however, do have one flaw that has plagued them since Windows for Workgroups 3.11 back in the mid-1990s: security in Windows has always been an afterthought that has slowly been re-engineered back into the solution. Time and again, security has taken a back seat to innovation—and more recently, to the rapid digital transformation and shift to modern cloud infrastructure.
This blog will explore:
- Factors contributing to the lag between innovation and security in the Microsoft Windows ecosystem (i.e. technical debt)
- The biggest problems with the risks created by that security lag
- Proven ways to mitigate, and even eliminate, threats inherent to the Microsoft ecosystem.
Why security is the single biggest and most persistent hurdle for Microsoft Windows
Security has traditionally been a secondary consideration when innovation is the primary driver for a technology. This has not changed since the mid-90s. Innovation of the operating system and its features is still hailed as the most important thing because perception insists that technology needs to exist at the bleeding edge of its industry if it is going to stay relevant.
With the above said, some vendors, like Apple, appear to develop and market security and innovation on par. Microsoft, however, loosely considers security a feature. While this a debatable opinion, the history of products from each vendor suggests this conclusion, and their marketing reinforces this sentiment. Remember when Apple marketing stated that macOS could not get a computer virus? We all know better now. Microsoft Windows has never embraced security marketing in any type of similar manner – regardless if it was true or false.
Consider the transition to the cloud or digital transformation, both of which were accelerated by the work-from-anywhere requirements normalized during the pandemic. But also consider features like autorun for CD/DVDs and USB removable media, guest file shares, and even access to the root operating system via C#. At the time, these where great ideas—innovations that lent a necessary competitive advantage. But the rapid-fire nature of innovation also lends itself to risk. If the security for this innovation is an afterthought, threat actors can quickly learn how to exploit and use these innovations as conduits for malicious activity.
An analysis of what could go wrong and how to secure these innovative features only appears after a vulnerability is discovered and an exploit is determined to present a risk to the business. After all, with all the cloud capabilities of OneDrive, DropBox, Google Drive, etc., why do we even use server-based file shares in an environment? Additionally, with all the advanced remote access solutions on the market, why do we still use RDP? It is because we have technical debt and other solutions like back up utilities that are dependent on them. These were all developed and released with innovation in mind and security added as an afterthought.
Case in point—the Follina Vulnerability
The Follina Vulnerability is one example of what can go wrong when Windows access security considerations come into effect after a product’s release. The Follina Vulnerability is a zero-day remote code execution (RCE) vulnerability (CVE-2022-30190P) that was discovered in the Microsoft Support Diagnostic Tool (MSDT). It allows an attacker to execute arbitrary code using a malicious Microsoft Office document. Follina is most often exploited via phishing emails.
According to Microsoft, “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
What’s changed—why are these security risks unacceptable today?
Heretofore, security has often been seen as a hindrance to innovation because implementing proper security checks could slow innovation to the point that it could lose its competitive edge or be deemed to have less relevance. Now, in a world where security threats are so rampant, malicious, and conspicuously detrimental to organizations, Windows access security—and innovative security—may be more relevant than mere innovation alone.
The biggest Microsoft Windows flaw: administrative privileges
The Follina Vulnerability is a consequence of one flaw that infests all computing devices and is especially painful for Microsoft Windows: administrative privileges. Removing administrative privileges and enforcing true least privilege (just-enough privileges plus just-in-time access) will prevent most malware and attackers from executing lateral movement.
Since the vast majority malware and attacks require privilege to execute, which may also mean utilizing lateral movement and privilege escalation to gain the necessary level of access, the principle of least privilege (PoLP) offers a significant amount of cyber-protection power. Having PoLP in place means an attacker’s code will only execute within the context of the targeted user, posing far less risk to a standard user without administrative privileges than it would to a local admin user. This represents the biggest strategic adjustment an organization can make in managing Windows accounts for end users to mitigate this persistent problem.
Administrative privileges are not always and inherently a bad thing – the problem exists where organizations fail, or are unable, to enforce granular control over their admin privileges. Going back to the earliest versions of Windows with built in networking, administrative rights allowed you to do and access anything within your network. Back then, the operating system itself did not have security built-in to control granular access and provide role-based access and segregation of duties. In those times, most IT professionals just gave everyone administrative rights to their local system because it was the easiest way to ensure everyone had the varying levels of access they needed to do their jobs. The risks of provisioning blanket admin rights were not well understood, and the basic feature of being a local administrator was adopted almost everywhere.
Lack of granular control over administrative privileges remains a problem for many organizations today. This is especially true for environments that tried to mitigate the risk by handing out two credentials: one as a standard user for daily work and one as an administrator for tasks that need elevated privileges. When these two are operating together on the same workstation, the risk to the environment is high due to memory-scraping attacks, like pass-the-hash, and password-stealing tools, like mimikatz, that can pilfer secrets from active processes. Currently, the innovation of the operating system is still behind the security risk, and even techniques like EMET, were bolted-on.
Once an application, malware, or user gains administrative rights, they can effectively do anything to the system. Imagine what happens when a superuser account is breached. A threat actor could have unlimited access to your entire network for as long as it takes for your organization to detect the breach. The threat expands further in scope if that credential is valid across multiple systems. Even tools designed to protect against administrative rights can be thwarted with some creativity and hacking using lateral movement and the exploitation of vulnerabilities (i.e. privilege escalation).
What is the best way to manage threats to administrative privileges?
Remove administrative rights from every user wherever and whenever possible! Administrative rights have not yet evolved enough to be secure, and the best way to actually manage this threat is to consider alternatives. The most effective approach is to literally remove administrative rights everywhere possible and handle any tasks that require elevated privileges as an exception, and not the norm. This has been true since Windows XP, which hopefully is no longer present in your environment. However, the privileged access problem still exists in even the newest Microsoft solutions.
How effective is removing admin rights as a mitigation strategy?
According to the BeyondTrust Microsoft Vulnerabilities Report, 2015-2020 findings indicated that as many as 75% of Critical vulnerabilities could have been mitigated by removing admin rights. Based off those trends, and an understanding of the Windows Microsoft landscape, the 2022 edition of the report estimates the removal of admin rights and the enforcement of least privilege to be pivotal to the ongoing management of Windows vulnerabilities and the overall reduction of the attack surface.
As cybersecurity expert Sami Laiho, Senior Technical Fellow, MVP, shared in the 2022 edition of the report, he has observed that his customers experience 75% fewer service desk tickets and 65% less reinstallations of computers after removing admin rights.
As the data suggests, if information and security teams actually remove admin privileges, the risk to their environments will drastically decrease. They will also be more likely to meet compliance initiatives, cyber insurance requirements, and remain consistent with zero trust principles. Patching is not always possible, or desirable. This is why the removal of admin rights is considered to be such a crucial step in the Windows risk reduction strategy.
Microsoft Windows today – has the threat pattern continued?
In the past, Microsoft Windows has allowed their Windows security concerns to lag behind those of their operating systems. However, Windows security has matured significantly in recent years to better address some of these issues. According to data compiled by the BeyondTrust Microsoft Vulnerabilities 2022 report:
- The number of vulnerabilities across Windows operating systems dropped to 507 (from 907 in 2020).
- Windows vulnerabilities decreased by 40% YoY
- Windows server vulnerabilities decreased by 41% YoY
- Windows Critical vulnerabilities decreased by 50% YoY
That Critical Windows vulnerabilities have halved over the past five years reflects Windows Microsoft’s continued investment in building a more secure operating system. The overall vulnerability picture, however, remains mixed as the reasons for the vulnerability reductions remains slightly elusive. The decrease could be a result of:
- Better security and coding practices
- The end of life for products like Windows 7
- The shift of services to the cloud
- Or, most likely, a combination of all three.
While most of the Microsoft Windows vulnerabilities for 2021 have indicated the high risks of on-premises technology, the fact that most organizations are shifting to the cloud represents a notable potential alteration to the threat pattern. A shift to the cloud could potentially improve an organization’s security by providing a more efficient way to mitigate risks and removing the burden of remediation from the IT security team. This does not mean cloud vulnerabilities do not exist, but rather they are being remediated by the SaaS provider.
Important to note is that, as of the writing of this article, SaaS vendors are not obligated to publish CVEs like their on-premise counterparts. This ultimately makes it difficult for anyone to gather statistics on the impact of vulnerabilities in the cloud, unless they are actually exploited. This reinforces the importance of removing administrative rights to help mitigate the exploit, regardless of the asset on-premise or in the cloud.
Microsoft has provided a solution for the threats the operating system faces every day, when being controlled by the average person. One of the most profound threats, administrative rights for end users, can be solved by simply making everyone a standard user.
In the 2022 Microsoft Vulnerabilities Report, Russell Smith, Editorial Director, Petri IT Knowledgebase, urges that “it is critical that organizations continue to carefully manage administrative privilege use to protect against vulnerabilities in Microsoft’s software.” Smith adds that, “despite the importance of running with standard user privileges for protecting systems and data, it is still not possible to natively manage in Windows today. Organizations need to manage privileged access on endpoints in a flexible and secure way that reduces risks to the business while allowing employees to do their work”.
If an end user really does need local administrative rights for some obscure task, there are native tools from Microsoft and third party vendors to accommodate the use cases without the risk of giving out secondary administrative credentials. While this may sound like a “bolt on” approach to the original problem, it is a viable solution with merits like documenting privileged access for regulatory compliance initiatives.
Privilege Management for Windows
When it comes to third-party solutions that can append windows access security without disrupting the native functionality that has made Microsoft Windows so successful, Russell Smith puts BeyondTrust Privilege Management for Windows at the top.
The thing that makes BeyondTrust’s Privilege Management for Windows so unique is its combination of least privilege management and application control capabilities, which enable the solution to provide:
- Preventative endpoint security by removing all admin rights across all human/non-human identities and accounts, and by elevating access as needed to applications based on the proper content, and only for the duration needed (least privilege and just-in-time access).
- Zero trust controls, such as removing admin rights, enforcing least privilege, stopping standing privileged access (persistent privileges) across Windows desktops/servers, dynamically elevating privileges for applications following just-in-time protocols, etc.
- Advanced protection against lateral movement, ransomware, malware, and insider threats. Removing admin rights is one of the most powerful ways to reduce the attack surface, protect against lateral movement, and defend against both external and internal threats (i.e. malware, email-based threats, living-off-the land attacks, fileless threats, zero day threats, etc.)
- The ability to meet compliance and cyber insurance regulations by offering required capabilities (i.e. removal of admin rights, true least privilege, application control, etc.) and a single audit trail that is quick to access.
- High usability via application control, native integrations, availability across multiple operating systems, and multiple deployment options (i.e. cloud, hardware, and virtual appliance).
Conclusion: Adopt new tech…with the tools that will prioritize your security
You don’t have to be fearful about adopting new technology or the advent of innovative features—as long as you have the tools and solutions in place that can help you manage the prioritization of your security. Managing administrative rights with a holistic approach will mitigate the Windows access security risks. And, if you use many of the features (i.e. a standard user account already built into the operating system), then we can truly allow innovation to catch up to security – at least from a vulnerability, malware, and exploit perspective.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.