IT managers could avoid grief by curtailing admin rights in Windows

Study shows 90 percent of Windows 7 bugs 'mitigated' by access control

Microsoft endures a lot of criticism for its Patch Tuesdays, frequent vulnerabilities and security weaknesses, but many times, users bring those problems on themselves by not using the access management tools they have at their disposal, say two people in the access management field.

A study out today from BeyondTrust, of Agoura Hills, Calif., shows that 90 percent of the stated critical vulnerabilities in the Microsoft Windows 7 operating system since it was released to manufacturing in July of last year would be mitigated if IT managers weren't so permissive in granting administrator rights to employees who should be assigned the more restrictive standard user rights.

BeyondTrust, which also reviewed all 190 Microsoft published vulnerabilities in 2009, also reports that 100 percent of vulnerabilities in Windows Office, 100 percent of Internet Explorer 8 vulnerabilities, 94 percent of vulnerabilities in all IE versions and 64 percent of all Windows vulnerabilities in total would be mitigated with better access management.

Now, mitigated is kind of a squishy word. It doesn't mean the threats would be eliminated altogether, and BeyondTrust sells access management software so you have to take that into account. Nonetheless, these are impressive numbers.

In IT systems, you're either an administrator or a standard user, said Saurabh Bhatnagar, vice president of product management at BeyondTrust. If you're only a standard user, you can't use some software applications that require elevated privileges, you may not be able to use ActiveX or you may not be able to load drivers onto your computer.

But those limitations can sometimes be a pain, Bhatnagar said. For instance, an employee on the road may need to print something off of his computer but can't load a printer driver. "At the end of the day, it might restrict how productive I can be in my job. So the solution might be 'Why don't we make everybody an administrator and relieve them of all these constraints?'" he said.

The reason a company shouldn't want to make everybody an administrator, Bhatnagar continued, is that not every employee is as "security-centric" as, say, the chief information security officer, and could open doors for attacks. "[Companies] are being forced to choose between the loss of productivity and the loss of security. They pick and chose but they lose both ways," he said.

BeyondTrust's Privilege Manager allows IT administrators to grant and rescind access to end users as needed, such as to certain applications or Web sites, and can grant access for limited time periods.

Scott McCarley, BeyondTrust's marketing director, says that while not all the details are known, it appears as though when hackers in China broke into the Gmail accounts of Chinese dissidents recently they seem to have exploited a vulnerability in IE6 to install a key logger to steal password information. "Quite possibly, they were able to install the key logger because they gained the administrative privileges of the logged in user."

BeyondTrust used information published by Microsoft for its study, including 25 pages in its 32-page report detailing information about each vulnerability, including what Microsoft considered mitigating factors that could have limited the vulnerability.

"In the vast majority of circumstances, configuring users to not have administrative rights is a mitigating factor," McCarley said.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT