This is an updated blog that was first published on May 9, 2018
Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent. Look at any enterprise breach of the last few years and you will see admin accounts almost invariably play a central role.
If an attacker is able to successfully target a user who has administrator rights, the attacker may use and abuse their access to establish a foothold, evade defenses, and spread throughout the network.
Understanding how and why it is imperative to limit the number of user accounts with administrative privileges is essential for all organizations, especially in today's world of ever-increasing cyber risk that threatens us all.
What's so important about admin privileges?
Administrative rights are essential to the proper function of any IT infrastructure, as they enable trusted users to install software, to add new accounts, and to generally change and amend the way that systems operate. That said, local admin rights also present a huge risk to the security of your data, as an attacker who infiltrates a business and has access to these rights could do significant harm.
The cornerstone security principle of least privilege (PoLP) entails operating with the least amount of privileges as necessary to execute a particular task. Applying this principle enterprise-wide is a powerful way to vastly minimize an organization’s attack surface. BeyondTrust’s 2021 edition of our annual Microsoft Vulnerabilities Report found that removing admin rights would mitigate 56% of all critical Microsoft vulnerabilities in 2020. A similar analysis a couple years back by Morey Haber, BeyondTrust’s CTO & CISO, found a comparable risk-reduction impact for least privilege with regard to third-party applications, including Google, Adobe, Oracle, Apple, VMware, etc. This means, even absent a patch, least privilege provides strong and broad protection against known and unknown (zero-day) vulnerabilities.
Unfortunately, many organizations still struggle with the practical implementation of least privilege and end up granting excessive admin privileges. And, this doesn’t just apply to endpoints, an Oracle and KPMG Cloud Threat Report found that 37% of organizations are using over-privileged accounts in the cloud. In the past, our own research has shown that more than half of IT professionals admit to providing local admin rights to users, with roughly a quarter of respondents not even knowing which employees within their business have admin rights.
Not only are businesses routinely placing themselves at elevated risk by freely providing admin rights to users, but they are also often not even able to quantify the size of the risk to their organization. In the event of a cyber attack, the difference between an attack being contained and an attack succeeding and spreading often comes down to if the attacker is able to access an admin account. In addition to providing elevated functionalities beyond that of a standard user account, an admin account can also make it easier for an attacker to perform lateral movement and achieve further privilege escalation.
Allowing all users to run with local admin rights is like putting an open sign up to potential hackers.
In recent years, Forrester Research has published multiple reports implicating privileged credentials in 80% or more breaches. This eye-popping statistic is clearly indicative of the larger problem of widespread administrative privilege. Understanding the massive threat that unchecked admin rights can pose to your business has therefore never been more pressing. With all that said, this is not an issue that has gone unnoticed. Indeed, figures published by the UK government in 2021 show that 75% of businesses recognize the security need to limit the allowance of admin rights to their IT users to better safeguard their sensitive and valuable information.
What do admin rights enable users to do?
It may sound simple, but administrative privileges, particularly superuser privileges found with the most powerful privileged accounts, can give carte blanche to users to make far-reaching changes within an organization's IT infrastructure. Here are some common examples:
1. Change registry keys
By offering the ability to directly access and change certain registry keys (though not all reg keys require privileged access), admin rights enable users to bypass Group Policy Object (GPO) settings and other central management policies whenever they choose. This essentially means that local admin users potentially have access to all areas, at all times.
2. Take control of system services
Admin rights enable users to stop or disable services such as anti-virus, monitoring, and firewalls. Giving users (or an attacker) the ability to switch off these key safeguards represents a significant risk.
3. Take ownership of files and folders
Local admin rights enable users to own any file on the system, period—and privileges always beat permissions. It means admin users have the ability to change ownership of important documents or folders and either restrict access, copy or transfer data without other authority, or tamper with protected security policies. Admin rights also allow the privileged user to restrict access to files, preventing security tools from checking if they are safe.
4. Manage certificates for the local machine
The ability to manage certificates for the local machine means admin users pose an increased risk of exposing others to phishing and man-in-the middle attacks. By installing a fake certificate authority, malicious users can trick others into believing they are visiting trusted sites or receiving information from a trusted source, when they are not.
5. Use port scanning tools
Capturing network traffic allows the potential for admin users to find vulnerabilities within a network. The use of port scanning tools is a common means for those with administrative privileges to identify network services running on a host and to shore up their defenses, but this also allows malicious users to find and exploit vulnerabilities.
6. Go from Admin to System
Admin users are able to create scheduled tasks to run as System, which is the highest level of privilege available. Applications can be set to run bypassing User Account Control (UAC) protocols, while processes can be run as System too. This means malicious software can be embedded and set to trigger in the future, with the ability to disable or control any security software on the endpoint.
7. Install and uninstall any application or patch
With freedom to install, update, or remove any application or software, users with admin rights can inadvertently leave the IT environment open to vulnerabilities. As these individuals do not necessarily know the full implications of their actions, this can pose a serious risk to system stability and data security. Attackers will often socially engineer admin users into installing fake or unwanted software that contains malicious code.
8. Cover tracks
With the ability to make any changes within an IT system, this means admin rights allow users or attackers to effectively cover their tracks. They are able to delete applications, system and security event logs, as well as disable monitoring solutions.
9. Manage and create your own users
The freedom to create new accounts and to set their privilege level means that any compromised local administrator account has the ability to create multiple new local admins in the future. This capability poses a serious risk to security, with the potential to give lasting access to malicious users outside your organization. If the attacker is able to compromise a domain admin, then persistent access could be permitted across the entire domain.
10. Access any part of the OS
With the ability to freely access any part of the operating system or network, malicious individuals with admin privileges can set 'traps' for users with higher privilege, such as Domain Admins. Unrestricted admin rights therefore pose a significant risk around privilege escalation attacks and lateral movement.
Achieving balance between productivity and security
"The common misconception is that a user with local admin rights can do little harm and that administrative actions taken at the endpoint are isolated to the endpoint itself. Neither assertion is true." Lori Robinson, Gartner.
Put quite simply, even local admin rights can have broader consequences. Any hacker who manages to infiltrate an endpoint and gain access to admin privileges can cause untold harm to an organization. However, businesses must understand that implementing a blanket withdrawal of admin rights will reduce the ability of personnel to be productive in their role.
It is this balancing act between security and productivity that all companies must embrace, but this is precisely where Endpoint Privilege Management (EPM), one of the core pillars of privileged access management (PAM), plays a crucial role. With a robust EPM solution, operating an environment of least privilege means organizations are able to enforce a stronger security posture, without the need to limit operational agility—and this is where BeyondTrust Endpoint Privilege Management can provide unrivalled support.
BeyondTrust Endpoint Privilege Management products for Windows, macOS and Unix/Linux combine best-in-class privilege management and application control, making admin rights removal simple to ensure compliance, security and efficiency. BeyondTrust Endpont Privilege Management products can be rapidly deployed so that organizations can make leaps in risk-reduction, fast. Our solution leverages a wide range of validation criteria to elevate applications securely and flexibly, and elegantly scales to meet the demands of even the largest and most complex organizations. Powerful rules engines and comprehensive exception handling features help minimize the impact on end users and IT teams alike.
You can find out more about our award-winning Endpoint Privilege Management solution by visiting our product page. And, if you’re ready to learn more, or to speak with someone, you can contact us today.
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.