Eliminating administrator-level rights for regular users can stop
the majority of Microsoft Windows attacks from being able to
exploit the computer.
That's the claim of a report released by security vendor
BeyondTrust. For the report, the company investigated all of the
security bulletins released by Microsoft in 2010, which detailed a
total of 256 vulnerabilities
Looking at those 2010 vulnerabilities, BeyondTrust found that PCs
that weren't running with administrator-level rights would have
blocked 64 percent of all Microsoft vulnerabilities, 75 percent of
critical Windows 7 vulnerabilities, and all Microsoft Office and IE
vulnerabilities. In addition, removing administrator rights would
have stopped 82 percent of remote code execution vulnerabilities,
which enable an attacker to run arbitrary code on compromised
systems.
The report points to a piece of best-practice advice that's often
found in Microsoft's security bulletins. Namely, that "users whose
accounts are configured to have fewer user rights on the system
could be less impacted than users who operate with administrative
user rights."
Not coincidentally, the company behind the report sells software
that can monitor, restrict, or delegate access to root passwords on
different operating systems. But is there merit in this approach as
a technique for helping mitigate Windows vulnerabilities--and
especially zero-day attacks that attempt to exploit
never-before-seen bugs?
In an email interview, Jack Koziol, director of information
security training firm Infosec Institute, said it's likely the
report is accurate in its charting of the number of attacks that
would have been blocked by restricting administrative-level access.
"Many of the current exploits out there require you to have
admin/system access on the exploited system," he said.
"There is a major caveat to that though," he said. "One of the
primary concepts we teach in our penetration-testing class is that
of privilege escalation. If you have non-root or non-administrator
level access to a system, you must attempt to escalate privileges
in order to access sensitive portions of the OS."
Accordingly, if attackers are gunning for a system that restricts
administrative-level access, "exploitation becomes a two-step
process instead of a single step," said Koziol. "First, you get a
foothold on the box with regular user access, secondly you gain
admin access via privilege escalation attack--perhaps via a kernel
vulnerability."
Some approaches to managing administrative-level access might block
these types of attacks, he said. But a more directed attack against
a specific target, he said, don't discount an attacker finding a
way around the defenses, for example by exploiting a kernel-level
vulnerability.
Those caveats aside, for organizations that want to control
admin-level access, there are multiple approaches--some free.
According to a blog post by Neil MacDonald, a vice president and
distinguished analyst at Gartner, free approaches include
Microsoft's User Account Control--but it's only built into Windows
7 and Vista--as well as a community version of ScriptLogic.
Meanwhile, commercial options for controlling admin-level access by
application on "an exception by exception basis" include
BeyondTrust, Avecto, Viewfinity, and Symantec/Altiris, he said.
But the best approach, said Koziol, would be to overhaul Windows.
"The real solution to this problem is to re-engineer Windows to
allow regular users to do everything they need without the
possibility of compromising the [trusted computing base] of the OS.
The last real OS to do this was VMS. After that--well, you know the
story," he said.
On the other hand, client/server operating systems as well as
cloud-based applications inherently prevent these types of attacks,
he noted, because users are never granted access it to the trusted
computing base.