Re-evaluating Local Administrative User Rights
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
I'd say that most malware wants to write something to the local PC.
Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.
This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.
I read that over 90% of ransomware, for example, does not require local admin rights...
Right why would it? Assuming it can just run in user space - so many people/companies just allow full access to everything to their users so the crap just runs and gets what it can...
-
@Dashrender said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
I'd say that most malware wants to write something to the local PC.
Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.
This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.
I read that over 90% of ransomware, for example, does not require local admin rights...
Right why would it? Assuming it can just run in user space - so many people/companies just allow full access to everything to their users so the crap just runs and gets what it can...
I mean, the worst things that could happen, don't seem to matter if the user has local admin rights anyways.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
I'd say that most malware wants to write something to the local PC.
Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.
This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.
I read that over 90% of ransomware, for example, does not require local admin rights...
Yeah, the miscreants are getting smarter.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
When re-evaluating whether or not users should be local administrators on their own devices, what are all of the considerations present-day?
I stick to... I wouldn't give myself local admin rights, why would I give it to an end user?
-
@scottalanmiller said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
When re-evaluating whether or not users should be local administrators on their own devices, what are all of the considerations present-day?
I stick to... I wouldn't give myself local admin rights, why would I give it to an end user?
Is your device safer without your login having local administrative privileges? Why or why not?
-
@scottalanmiller Basically, with zero cases of local admin privileges, no exceptions... then yes I an on board there. But this isn't always and can't always be the case. So here were are.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@scottalanmiller said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
When re-evaluating whether or not users should be local administrators on their own devices, what are all of the considerations present-day?
I stick to... I wouldn't give myself local admin rights, why would I give it to an end user?
Is your device safer without your login having local administrative privileges? Why or why not?
Yes, because I'm not tempted (or tricked) to do admin level tasks while also doing non-admin level tasks. If I'm putting on my IT hat, rather than my user hat (which should be very rare) then I have to do so intentionally and switch users.
Separating your own roles helps a lot in making your brain aware of what you are doing. Malware can't easily trick me to give it admin privs because I never see those situations while also have admin access.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@scottalanmiller Basically, with zero cases of local admin privileges, no exceptions... then yes I an on board there. But this isn't always and can't always be the case. So here were are.
Not sure what you mean from this statement. Obviously local admin happens sometimes in some companies. But...
- Just because it happens once somewhere doesn't affect the decision elsewhere. There is no connection because they are "local".
- If it is MY business, I fix the underlying problems that create that problem in the first place. No really good excuse for why it would be needed if you are able to look at IT from the CEO/owner's level.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
However, in the more modern days, Windows 7 and up, and especially in the Windows 10 era, even when a user is a local admin, they aren't really a local admin until they need to do something "administrative", in which they are prompted... UAC for example.
The problem there is that that pops up so often than it's no longer meaningful, at all, to normal users (and likely not to IT.)
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
If the concern is about malware, well, most malware is just as dangerous in the non-admin user space anyways.
Ransomware, yes. But not general malware.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
Also, the AV should pick up that type of malware / bad apps anyways.
Working as an MSP, this isn't the case all that often. Most malware (that works) are trojans and use the user to bypass the AV. AV is surprisingly useless these days. Not that I recommend not having it, certainly have it. Just don't think that it is providing much protection.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
It seems like restricting users to non-admin privileges causes more inconvenience and service desk overhead than it's actually worth. And, from a security perspective, doens't really seem like any more of a factor one way over the other.
This just doesn't match what we see in the real world. At least not as an MSP. If we give users admin privs, we have to charge more, because their machine will be infected or broken easily 1,000% as often. They will install apps and not do so properly, they will get tricked into putting on the wrong apps, they will get loaded with trojans, they will fill their machines with apps that they don't use or know what they are, they will expose themselves unknowingly to all kinds of things (often from emails that depends on tricking them), and they will pirate software willy nilly (often intentionally, but sometimes by accident.) Sometimes users even remove themselves from AD, or more often just break random hooks to apps.
End user shadow IT is terrible, unless your IT department is a train wreck. In which case, yeah, they might need to work around them (see the thread we had last week.)
-
@nadnerB said in Re-evaluating Local Administrative User Rights:
A/V isn't 100%, just as removing admin rights isn't a 100% effective security measure but together they make a really good combo.
But if I had to pick one or the other, I'd trust a machine with no admin privs and no AV over one with AV and local admin rights.
Local admin rights being removed, to me, is critical. AV is just "nice to have". And AV without local admin rights removed is pretty useless as it depends on that.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
I'd say that most malware wants to write something to the local PC.
Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.
True, but those spaces aren't ones that will automatically execute.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
Having removed admin rights, you have defeated something that the A/V vendor doesn't yet have a signature for.
Not necessarily, with UAC, programs ran as users in the local Administrators group still runs as a standard user and requires elevation.
This is partially true, but only sometimes. There are ways around it. Lots of applications get installed with admin rights and once there, UAC is disabled. Look at any IT management toolsets, for example.
-
@Dashrender said in Re-evaluating Local Administrative User Rights:
As for software/viruii that don't require local admin rights, uhuhm - CHROME, rights levels don't matter.
Huh? Chrome isn't a thread because of this.... no admin access whatsoever.
-
@nadnerB said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.
An ounce of prevention is better than a pound of cure.
Policies are only good if they followed, HR & management are only good if they have the balls to do something.
Chances are that a rogue actor won't care about policies or HR.More importantly, normal end users are not trained to understand what they are doing in most cases. Ignore malicious actors, we are talking about good, well meaning people that HR has vetted. They still don't understand what "installing" means, they can't identify safe sources, they don't have the diligence to do package maintenance, they don't know overarching IT strategies, they don't control licensing or often even have awareness of it.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
What I'm getting at, is if the device is actually REALLY any bit safer without the user having local administrative access? I mean, if someone external wants in to a device, is the assigned user not having local administrative access making the device any more secure?
The concern isn't necessarily about downloading a piece of malware.
Those two things are one and the same. If someone wants remote access, then getting the end user to accidentally download malware is the number one way to achieve it. You can't separate the two concepts.
-
@Dashrender said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
What I'm getting at, is if the device is actually REALLY any bit safer without the user having local administrative access? I mean, if someone external wants in to a device, is the assigned user not having local administrative access making the device any more secure?
I would answer this and say - yes it is still more secure. If you're a target, then next to nothing is going to protect you. But come on, how many people are actually targets? 0.1% maybe? probably not even that many.
I agree, dramatically more secure. Almost all of your risk comes from the end user, not the computer. And not having admin rights is the most significant protection against the end user.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
I'd say that most malware wants to write something to the local PC.
Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.
This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.
I read that over 90% of ransomware, for example, does not require local admin rights...
Yes, RANSOMWARE. That's very different from normal malware. Ransomware is super scary and a major topic causing us to change a lot of how we behave. But here are some key thoughts...
-
Ransomware is an additional threat over what we had traditionally, it is not a replacement threat. Nothing about ransomware should change this conversation. All of your normal risks are what are addressed by what we are discussing. Ransomware is in no way the majority of threats, nor have other threats decreased because of it.
-
Ransomware does not REQUIRE admin rights to work, it just becomes more powerful when it gets them. By getting admin rights it can move from "trivial to stop" to "extremely hard to stop", it moves from "easy to identify" to "medium to identify". It changes from "encrypts one user's stuff on the machine" to "encrypts every user's stuff on the machine plus the machine itself." And with admin rights it can hide itself, make itself start without a user, and control its priority. It's like your car doesn't require tires to drive, but it sure works better when it has them.
-