Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

The Rise and Rise of ‘Standard’ Mode

October 20, 2017

  • Blog
  • Archive

User Account Control was a great idea but it has taken privilege management to fulfill its potential

How did computer security get into such a troubled and confused state? It’s a question security professionals must ask themselves on a daily basis as they face demands that threaten to explode budgets while offering no guarantee that any of the expensively-assembled defenses will actually work.

The roots of the malaise goes back to the early years of the millennium when enterprises and consumers using Windows 2000 and Windows XP were suddenly ambushed by waves of clever software attacks that warned the world that criminals had floored an evolutionary accelerator pedal. By the time XP and Windows received its first major security upgrade in the form of Service Pack 2 in 2004, it was becoming clear that security had entered an unsettling era that might take decades to play out.

In the new world, software flaws would need incessant patching, signature-based antivirus would slowly lose its effectiveness against an array of innovative malware types, and every scrap of data would be at risk. The security industry offered lots of security products but each solved only one part of the problem, while the accumulation of dedicated systems created a new and bigger problem of expensive, unmanageable complexity.

The nastiest discovery of all was that an organization’s biggest vulnerability was the one thing it couldn’t do without, namely its employees and partners. Even where security could block a type of attack on a technical level, stopping social engineering, carelessness or outright malevolence from within looked like an impossible task.

UAC arrives

The painful lesson of hindsight is that a much simpler reform – changing the way system privileges are handed to users and applications – could have headed off a good proportion of these threats in one fell swoop. By the time it released XP SP2, Microsoft had realized that the model of handing out unrestricted administrator privileges was being exploited by malware to gain control over targets and it started work on what by the launch of Vista in 2007 turned into User Account Control (UAC).

In theory by running users with standard user accounts wherever possible, UAC improved security but too often it did so at the expense of manageability and ease of use. As the experience of using a PC deteriorated, malware writers started using social engineering to get round UAC prompts. Despite useful tweaks in Windows 7, the weakness of UAC has remained. To act as a meaningful barrier, it must be centrally managed but this can quickly turn into an uncomfortably manual process; all that a basic UAC system does is pass the responsibility for elevating an application’s demands from the end user to an admin who is even more remote from what is happening on the PC.

The restricting privileges using UAC was a powerful one but like a rough diamond; it needed more polishing if it was to act as a control on the risky and dangerous elevation of privileges and not as an impractical block on employee productivity. A further limitation was that it assumed that the PC was sitting on a desk inside the network perimeter within reach of a support desk when increasingly it was being used remotely.

PCs become endpoints

As far as enterprises were concerned, UAC fitted into a larger technological change, the coming of the 'endpoint'. Endpoints are principally Windows PCs, but they can also now be smartphones, tablets, and embedded devices, each one coming with its own set of weaknesses. Enterprises looked for systems that could coordinate the defense of these diverse platforms using traditional anti-malware, endpoint device controls, data security and encryption, and patch management. Eventually, high-level management systems such as McAfee’s industry-leading open platform, ePolicy Orchestrator (ePO) emerged to tie together the different endpoint layers into a single, policy-driven whole.

Each defense served its security purpose but the innovation of Windows’ UAC and privilege restriction would have been left in a parallel silo had it not been for a crucial development, that of privilege security systems such as Avecto’s Defendpoint. This layer has helped make running users in standard mode a mainstream and attainable state rather than the time-consuming inconvenience it was in danger of becoming.

Least privilege software doesn’t block attacks so much as cut the vulnerable surface to the absolute minimum, preventing malware and the malevolent from finding a path to their targets. Running users and applications in standard mode immediately puts attackers on the back foot.

In 2013, Avecto cemented the place of privilege management in the world of endpoint control by releasing a version of Defendpoint that can report into and be managed through ePO, offering a way for McAfee customers to access least privilege technology without changing their console.

Adding UAC to Windows provided a blunt mechanism for controlling privileges on PCs but it has taken until the emergence of full-blown privilege management systems to overcome its deepest flaws. The irony is that the mechanism – restricting users to standard rather than admin mode wherever possible – has been there for years but has never been accessible without major compromises. It is possible to say that through sophisticated privilege management, the promise of UAC is at last being fulfilled.

John Dunn

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.