BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

When privileges start to 'creep'…

October 20, 2017

  • Blog
  • Archive

Bad privilege management is as dangerous as none

Utilizing tools native to the operating system to convert Windows networks to an environment in which administrator-level privileges are the justified exception rather than the rule is often mistakenly seen as a discrete destination when it is really part of a long, ongoing, complicated journey.

It's an easy mistake to make. Many organizations find themselves simultaneously running up to three significant generations of Windows; XP, Windows 7 and Windows 8, plus one or two way points in between such as Vista and Service Packs. Each one of these comes with slightly different ways to manage standard and administrator accounts. These include the evolving controls in User Account Control (UAC) and related technologies such as XP's prototype allow listing Software Restriction Policies (SRP) and 7's AppLocker.

The confusion organizations feel about privilege management and the principles of least privilege can become bound up with their eagerness to migrate from one version to another, and occasionally their reluctance to do so. Are the controls on offer from Windows sufficient on their own and will standard user accounts be manageable across different versions at the same time?

This is the 'temptation of UAC'; the blind assumption that the adoption of operating system-level privilege restriction is the magic seed from which to germinate watertight user and application security when it should be seen as more of a conceptual building block.

UAC's limitations are legion, particularly the difficulty of making it work with the large body of legacy applications that still require administrator privileges to work. This can flood the IT department with support calls from disgruntled users, forcing staff to adopt a policy of exceptions that twist and eventually warp security policies. Over time, these exceptions build up, causing a 'privilege creep', a sort of slow aging of the security state to a situation where, once again, too many users have undocumented privileges.

The organizational risk of wishful privilege management is that the 'creep' isn't noticed and a check box mentality takes over. In this scenario, management assumes that privileges have been contained, not realizing that this policy is being eroded from within. From the outside it looks rosy. Most users are running as standard most of the time, except when they aren't and the administrators have lost small but potentially critical amounts of control and oversight.

A process that started with a desire to control and rationalize administrator-level privileges by defaulting users to standard mode ends in slow-motion chaos.

Some might complain that only the most incompetent organization will fall off the rails that easily. Applications can be re-purposed to run in standard mode and in other cases they can be replaced altogether. This is undoubtedly true in some cases but the pervasiveness of XP nearly seven years after its successor was launched suggests a more complex picture in which organizations persist with the older OS for reasons that surely include application and security compatibility.

The death of XP

As the demise of Windows XP support in April 2014 underlines, the issue of privilege design is reaching a crunch point; whether they like it or not, organizations face an urgent review of their approach to privileges as they migrate to Windows 7 and 8.

We started this piece by comparing privilege control to a journey. If that analogy holds true the ultimate destination is to make an organization more secure, and demonstrably so for reasons of compliance. The first element – security – is unpleasantly abstract, the second – compliance – complex. Arriving at these stations isn’t easy when utilizing tools native to Windows but there is another way.

Least privilege systems such as Avecto's Defendpoint bridge the impasse by integrating the two worlds of access control with policy management in a single layer that can not only help control privileges but model how they are being used and by whom on any network. This gives IT teams a way of planning their migration to standard user operation as well as offering complete oversight into the exceptions as they are added. It's a world of comprehensive reporting that can transform the control of admin privileges into something that generates knowledge instead of uncertainty and make-believe.

John Dunn,

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Capabilities to NIST SP 800-207

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.