Getting Least Privilege Right on Windows
Windows doesn’t make least privilege easy
Enforcing least-privilege access policies on Windows has never been easy – especially given some fundamental flaws have haunted the OS since the mid-1990s. Consider the following permissions issues:
- Windows 95 and 98 had a logon screen and could even be joined to the domain, but users could bypass the prompt simply by pressing ESC.
- Windows XP improved things a bit by requiring users to hit Ctrl-Alt-Del to login. However, even when privileges were limited to standard user, you could still create accounts from the command prompt and bypass security a dozen different ways. It’s good that XP is finally EOL.
- Windows Vista introduced the infamous User Account Control (UAC) prompts for almost every common task. Most companies had to turn them off, but at least Microsoft fixed some backdoors.
- Windows 7 fixed many of the above problems, but it contains no granularity for enforcing least-privilege access to OS functions and applications. This is the staple OS for the vast majority of businesses today.
- Windows 8.x introduced the new UI and improved many security features. Unfortunately, it also added new complexities with Microsoft Live logins, the new App Store, and a UI many organizations are having a tough time adopting. And there’s still no least-privilege access to OS tasks and applications.
These problems not only plague the Windows desktop OS, but also are exaggerated on Windows Server since many of its daily maintenance functions require administrative privileges. Consider how meaningless RDP, MMC, or even the command prompt is without administrator privileges. It’s virtually impossible for non-administrators to properly maintain Windows Server, even with Power User capabilities.
The next obvious question is, “How do you enforce least-privilege policies on desktop and servers without sufficient OS tools?” The answer is PowerBroker for Windows.
The PowerBroker for Windows approach to least privilege
PowerBroker for Windows solves the least-privilege access problem on all of the above operating systems by requiring all users to log into the OS with standard user privileges. Users and/or computers can then operate with elevated privileges based on policies and rules hosted through either Active Directory Group Policy or the solution’s own web services. For example, if the user wants to add an ODBC connection or launch a program like AutoCAD (which both require administrative privileges), a rule is created to elevate the application, not the user, to perform the task.
It’s easy to create PowerBroker for Windows rules based on a myriad of variables such as publish, path, hash, and even known application vulnerabilities. The solution ships with an extensive rules library covering the most common applications and functions. It also includes the BeyondInsight IT Risk Management Console, which documents, reports and alerts on all legitimate and unauthorized privileged activity in your organization. In addition to the obvious analytics and reporting benefits, this has practical applications such as recording when applications are requesting elevated permissions for easy and consolidated rule creation.
Implementing Least Privilege on Windows is an achievable goal, but native tools won’t get you there. With PowerBroker for Windows, end users always operate with least privileges, and administrators can manage servers without needing local or domain credentials. It’s one thing to remove administrative rights when they are not needed. It’s another to allow specific access to applications and OS functions so users can perform their daily tasks in a safe computing environment. PowerBroker for Windows does just that!
Wait, what about least privilege on non-Windows platforms?
If you rely on Mac and UNIX/Linux platforms over Windows, you do have it a little easier when it comes to least privilege. However, challenges still exist; for instance:
- Mac OS X includes a model that protects key operating system functions and applications. For example, you can’t modify Time Machine, Users, or any security settings without administrative privileges. You can, however, change network settings and other sensitive areas as a standard user. There are ways to lock this down but, if administrative access is given to the command prompt, anything can be done just like root on UNIX or Linux. The model is cleaner than Windows, but it still lacks granular control – especially for programs where administrative access is required every time a session boots in bridged mode (e.g., VMware Fusion).
- UNIX/Linux platforms offer by far the most granularity in least-privilege control, but they still falter for third-party applications. Sudo can assist, but managing files with Sudo is a daunting task for many larger organizations. In addition, managing scripts, third-party commands, etc. are not in the realm of the operating systems’ capabilities – much like Windows.
Need a least privilege solution for Mac and UNIX/Linux?