Many of today’s sophisticated hacking attacks begin by targeting end-users’ computers. One of the simplest—and perhaps most effective—ways to bolster end-user and network security could be to limit local computer administrative rights, according to a few studies.
Dropping administrative privileges, which allow computer users to install and run programs, could significantly reduce risks from the vast majority of Microsoft Windows vulnerabilities. That’s according to a study from security vendor BeyondTrust. The company, which examined the last 15 months of Microsoft Security Bulletins, found that eliminating end-users’ administrative rights could significantly curtail 90 percent of the exploits of “critical” security flaws found in Windows 7, which was introduced late last year. It could also significantly mitigate 100 percent of the vulnerabilities found in Microsoft Office in 2009 as well as 94 percent of those found last year in the Internet Explorer browser.
Ending employee’s administrative rights “eliminate[s] what is otherwise the Achilles’ heel of the desktop—end-users with…power that can be exploited by malware,” according to the report. Beyond- Trust sells software programs that help IT managers eliminate end-user administrative rights while still allowing users sufficient access to needed programs.
Other sources make similar recommendations. Downgrading end-users’ rights is important, because in contemporary attacks, malware writers have written programs that can specifically evade antivirus programs, according to some experts. In addition, many attacks involved zero-day malware, which, by definition, is something so new that no software patch or virus protection has been issued.
“In most organizations, local access rights should be eliminated for almost all employees on their corporate-managed systems,” according to a recent iSec Partners report. The report provided recommendations on protecting against the Aurora attacks, which recently victimized Google and at least 100 other companies. Many of the Aurora attacks began by tricking end users into visiting Web sites that would download zero-day malware onto users’ machines.
Most companies grant administrative rights to the majority of their employees, says Alan Paller, director of research at the SANS Institute. Many IT departments are wary about interfering with employees’ work, he says. But when it comes to guarding against phishing and other end-user risks, downgrading user rights could be “one of the most effective” steps companies can take.