Presentation is loading. Please wait.

Presentation is loading. Please wait.

Local Administrator Rights

Published byΑἰνέας Δουρέντης Modified over 5 years ago

Similar presentations

Presentation on theme: "Local Administrator Rights"— Presentation transcript:

1 Local Administrator Rights
Patrick Seymour Sinclair Community College

2 How Do You Handle Admin Rights?

3 Reasons For Admin Rights
Applications (un)installation and updating running Issues Protected areas of the file system and/or registry Checks for admin rights, whether it needs them or not Publisher requires admin rights Users see this as a freedom issue: the ability to customize and control their own device. Users in some type of R&D role especially need the ability to manage software.

4 Reasons For Admin Rights
Fonts (permanent installation) Print (or any) drivers ActiveX controls System utilities, Control Panel applets, etc. Turn Windows Features On/Off Device Manager Defrag Network configuration Some times, it makes sense to restrict system utilities. But some, like defrag, are safe, and you may want to allow.

5 Reasons For Admin Rights
Mobile users Home-based worker, needs to connect to their printer. Users at conferences or other events, need to install or update something.

6 Reasons For Admin Rights
“We’ve always done it this way.” Expensive to remove. IT resources are already constrained. Rarely an issue. Data is stored elsewhere; just re-image the device. Malware infections are rare, and the ones that do occur do not depend on admin rights

7 Reasons Against Admin Rights
Malware, except most ransomware (90%, per CyberArk) NotPetya encrypts MBR if it gains admin rights. Users can disable protection systems (anti-malware, firewall, disk encryption, etc.) Users can change configuration in a damaging way. Create or change services, which can run as the System. Zero-day vulnerability protection CVE ( ) – VBScript RCE; gain same permissions as user Malware runs with the same permissions as the user who executed it.

8 Reasons Against Admin Rights
2016 Avecto Report on MS Vulnerabilities 93% of Critical RCE vulnerabilities (largest category of vulnerabilities) 94% of Criticals in Windows (Vista through 10) 100% of Criticals in Edge, 100% for IE 99% for Office overall, 93% for Office 2016 90% of Criticals in Windows Server Similar numbers for

9 Reasons Against Admin Rights
2017 Avecto Report on MS Vulnerabilities 80% of Critical RCE vulnerabilities (largest category of vulnerabilities) 79% of Criticals in Windows (Vista through 10) 96% of Criticals in Edge, 94% for IE 60% of Criticals in Office 74% of Criticals in Windows Server 88% of all Criticals from 2013 through 2017 Almost no vulnerabilities in other categories are mitigated by standard user accounts.

10 Reasons Against Admin Rights
Center for Internet Security (CIS) Controls “CIS Controls 1 through 6 are essential to success and should be considered among the very first things to be done.” #4: Controlled Use of Administrative Privileges NIST : AC-2, AC-6, AC-17, AC-19, CA-7, IA-4, IA-5 and SI-4 NIST Core: PR.AC-4, PR.AT-2, PR.MA-2, PR.PT-3 Malware runs with the same permissions as the user who executed it.

11 Reasons Against Admin Rights
With UAC on, admin users only receive a Yes/No prompt. UAC Bypass App Paths Disk Cleanup (DLL Search Order) EventViewer/MSC IFileOperation Windows Backup WUSA Requiring credentials at the UAC prompt is much more secure. It forces users to put effort into allowing the potentially bad thing to run.

12 What Do We Do? It is not IT vs. Users. It is IT + Users vs. Attackers.
Crank UAC all the way up. Remove debug privilege from Administrators group. Built-in Administrator Account: Random password and disable. Process Monitor and App Compatibility Toolkit Remove full-time admin rights for IT, especially desktop techs. No administrator accounts login interactively, especially domain admins.

13 What Do We Do? Provide an additional account to be used for elevation.
Free Scriptable OK for mobile, if credentials are cached first. Con Need to enforce the inability for the additional account to logon interactively.

14 What Do We Do? Elevated Processes, On-Demand Avecto Defendpoint
BeyondTrust PowerBroker Endpoint Least Privilege Management CyberArk Endpoint Privilege Manager PolicyPak Least Privilege Manager

15 What Do We Do? Adminizer (adminize.com)
From a known security researcher (Sami Laiho) Changes local admin passwords every hour, even on disconnected machines. Inexpensive: $3.50 to $6.00 per machine Requires user to call help desk each time

16 What Do We Do? Access Director (basic-bytes.com)
No longer free, but free version still exists on the Internet Paid version has centralized reporting Monitor elevated processes and installed software Elevates user’s existing account, temporarily

17 What Do We Do? Make Me Admin (makemeadmin.com)
Free and open-source (GPLv3) Elevates user’s existing account, temporarily Works offline, no help desk interaction

Download ppt "Local Administrator Rights"

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Operating System Customization

Operating System Customization
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
How PNNL Manages Windows Desktops 1 Will Jorgensen.

How PNNL Manages Windows Desktops 1 Will Jorgensen.
MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.

MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.
Installing and Troubleshooting Hardware Device and Drivers Chapter 6 powered by dj.

Installing and Troubleshooting Hardware Device and Drivers Chapter 6 powered by dj.
Chapter 7 Installing and Using Windows XP Professional.

Chapter 7 Installing and Using Windows XP Professional.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Desktop Configuration and Cloning Instructor: Chuck O’Shea An Infopeople Workshop Fall-Winter 2006.

Desktop Configuration and Cloning Instructor: Chuck O’Shea An Infopeople Workshop Fall-Winter 2006.
GROUP POLICY An overview of Microsoft Windows Group Policy.

GROUP POLICY An overview of Microsoft Windows Group Policy.
Working with Workgroups and Domains

Working with Workgroups and Domains
P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.

P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

Similar presentations

Ads by Google