If you have invested in a Microsoft Windows ecosystem, you have come to realize the benefits of an integrated desktop and server architecture based on the same underlying platform. No other vendor has produced a successful server and desktop operating system pair that excels in security, compatibility, authentication, and architecture. No matter how much you love Microsoft or find their solutions inadequate, there is no denying their worldwide acceptance and market share for information technology.
Microsoft solutions, however, do have one flaw that has plagued them since Windows for Workgroups 3.11 back in the mid-1990s. Security was always an afterthought and has continuously played catch-up to the innovation of the operating system and its features. Consider features like autorun for CD/DVDs and USB removable media, guest file shares, and even access to the root operating system via C$. At the time, these where great ideas, but threat actors quickly learned how to exploit and use them as conduits for malicious activity. Innovation was the most important thing, and the security for this innovation was an afterthought. An analysis of what could go wrong and how to secure the feature only appeared after a vulnerability was discovered and an exploit determined to be a risk to the business.
After all, with all the cloud capabilities of OneDrive, DropBox, etc., why do we even use SMB shares in many environments? Additionally, with all the advanced remote access solutions on the market, why do we still use RDP? It is because we have technical debt and other solutions like back-up utilities that are dependent on them. The features Microsoft created help build and modernize our IT infrastructure but also introduce risk. And in some cases, this risk is now completely unacceptable and must be mitigated.
One flaw that infests all computing devices and is especially painful for Microsoft Windows is administrative privileges. Once an application, malware, or user gains administrative rights, it can effectively do anything to the system. Even tools that are designed to protect against administrative rights can be thwarted with some creativity and hacking. While this is not necessarily a bad thing, going back to the earliest versions of Windows with built-in networking, administrative rights allowed you to do anything and there was very little granularity to provide role-based access and segregation of duties. If you were an administrator, you could do anything and most IT professionals just gave everyone administrative rights to their local system because it was the easiest thing to do, the risks were not well understood, and the operating system itself did not have security built in to control granular access. So, the basic feature of being a local administrator was adopted almost everywhere, and for many organizations is still a problem today. This is especially true for environments that tried to mitigate this risk by handing out two credentials: one as a standard user for daily work, and one as an administrator for tasks that need elevated privileges. When these two are operating together on the same workstation, the risk to the environment is high, and currently the innovation of the operating system is still behind the security risk.
It is now just a history lesson. Administrative rights have not evolved enough in order to be secure, and the best way to actually manage this threat is to consider alternatives. The most effective one is to literally remove administrative rights everywhere possible and handle any tasks that require elevated privileges as an exception and not the norm.
In order to support this mitigation strategy, let us first consider the risks. According to the BeyondTrust Microsoft Vulnerabilities Report for 2020, if you remove administrative rights from daily operations:
- 100% of critical vulnerabilities affecting Internet Explorer and Edge Browsers in 2019 can be mitigated.
- 80% of critical vulnerabilities affecting Windows 7 (before EOL in January 2020), 8.1, 10, and Server Editions can be mitigated from 2019.
- 77% of all Microsoft critical vulnerabilities (for all applications) could have be mitigated in 2019 by removing administrative rights.
The conclusion is blinding. Despite the laggard nature of security in Windows, Microsoft has indeed provided a solution for threats the operating system faces every day when being controlled by the average person.
Remove administrative rights from every user wherever and whenever possible.
This has been true since Windows XP, and if information and security teams actually do this, the risk to their environments will drastically decrease; the statistics prove it. And anecdotally, in a recent conversation with a senior security officer from a Fortune 100 company, they indicated that malware infestations alone decreased 95% by just removing administrative rights from all of their users.
Microsoft has in the past been lagging in security for their operating systems. However, they have matured significantly in recent years to solve these issues, and one of the most profound, administrative rights for end-users can be solved by simply making everyone a standard user. If, by the way, an end-user really does need local administrative rights for some obscure task, there are native tools from Microsoft and third-party vendors to accommodate the use cases without the risk of giving out secondary administrative credentials. While this may sound like a “bolt on” approach to the original problem, it is a viable solution with merits, such as documenting privileged access for regulatory compliance initiatives.
In the end, do not allow innovation and features to stop you from the adoption of new technology. Managing administrative rights with a universal approach will mitigate the risks, and if you use many of the features like a standard user account already built in to the operating system (since Windows XP), then we can truly allow innovation to catch up to security—at least from a vulnerability, malware, and exploit perspective.
