Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Why elevating the issue won’t always alleviate it

October 20, 2017

  • Blog
  • Archive

“We’ve done it!” – The majority of your users have admin rights removed, meaning your environment is far more secure than it was before and you’ve successfully mitigated 85% of critical vulnerabilities in Windows. But are you as secure as you think? A surprisingly common pitfall that we come across in the support team are those who, either intentionally or unwittingly, elevate everything. Everything.

As a quick summary, there are two main account types; standard user accounts, and Administrator accounts. A standard user account is relatively locked down – you can’t make any serious overarching changes using a standard user account. An Administrator on the other hand has the keys to the kingdom and can make as many changes as they wish.

Here is where the confusion can begin – since Windows 7 (technically Vista, but we don’t talk about that), every user logs in with standard user rights. The difference being that Administrators have the option to elevate something if they need it to perform a certain action. This is called UAC (or User Account Control), and is responsible for those “Are you sure you wish to install this program?” type warnings you will have seen on your machines.

Unfortunately, instead of taking time and creating tailored Privilege Management policies (that only elevate specific applications), or creating a UAC replacement policy (which audits whenever a user proceeds in allowing their Privilege Management software to elevate an application or process), they instead implement a simple rule which elevates everything on the machine.

The main reasons for this appear to be a lack of understanding in the way that Windows works with regards to Administrator rights, the desire to get Privilege Management software into the environment hastily rather than correctly, or simply that it was just “easier to get Software XYZ to work instead of having to mess about with policies”.

Believe me when I say that I’d rather you gave every single user their local Administrator rights back than use a Privilege Management configuration that elevates everything without warning.

Those are big words (literally; I put them in bold!), especially in a world where we’re trying to remove admin rights from as many users as possible to adhere to the principal of Least Privilege. But you’re actually better off if your users log in as a local Administrator vs logging in with a misconfigured Privilege Management policy that elevates all.

Elevating everything in Windows can cause instability in the operating system, as many components of the OS are not supposed to run with admin rights any more, and doing so can make the machine prone to crashing, especially when explorer.exe is elevated. It can also cause certain programs to be incapable of communication, due to the fact the integrity levels of those processes are no longer compatible with parts of the OS with which they would expect to be able to communicate. At least when running as a real local Administrator with UAC, a user has the chance to cancel any elevation prompts they do not understand or did not explicitly choose to open. This is especially relevant when malware tries to gain admin rights by running via infected content delivered through emails, drive-by downloads and so on.

In the end though, the entire argument is pointless, and is akin to choosing whether you’d like a burglar to enter your house through the front door or an open window. To an attacker, the source of the admin rights does not matter in the slightest. This is why removing admin rights, setting up a well-managed allow list, and implementing a privilege management solution that is correctly configured to only elevate specific required processes, tasks and scripts, is the best way to secure your endpoints.

Gareth Remblance

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.