‘Windows Shop’ targets admin rights to de-risk your environment

Article by Scott Hesford, BeyondTrust’s Director of Solutions Engineering for Asia Pacific and Japan.

Microsoft Windows has a clear market advantage when it comes to IT. No other vendor has created a server and desktop operating system pair that excels in compatibility, certification, productivity, and architecture. Unfortunately, it’s a victim of its own success.

According to IDC, about four-fifths of desktops run Microsoft Windows, making the operating system a prime target for hackers. The more attention you give to your prizes, the better your chances of finding flaws that can wreak havoc on your Windows customers. The “Windows Shop” knows drills well. The price for a rapid pipeline of new features is a sizeable monthly patch cycle, in addition to semi-regular out-of-band patches to address the most urgent or critical defects.

However, patching is not always possible or desirable. This realization alone has led organizations to consider other means of mitigating vulnerabilities as part of their Windows mitigation strategies. Moreover, the world of IT is changing. Organizations continue to want access to cutting-edge technology innovations (new products and features) to stay relevant and gain a competitive edge, but security is a hindrance to the pace of innovation. I don’t think it will.

Security is now seen as a key input to operate technology safely and responsibly. In a world where security threats are so prevalent, malicious, and extremely harmful to organizations, Windows access security (and innovative security) is more important than technological innovation alone.

Curse of Forina

The recent Follina vulnerability demonstrates that Windows customers need to do more than rely on endpoint protection to mitigate the risks associated with Windows vulnerabilities.

Follina is a zero-day remote code execution (RCE) vulnerability (CVE-2022-30190P) discovered in the Microsoft Support Diagnostic Tool (MSDT). It allows attackers to use malicious Microsoft Office documents to execute arbitrary code and is most often exploited via phishing emails.

According to Microsoft, “An attacker who exploits this vulnerability can execute arbitrary code with the privileges of the calling application. An attacker can then install programs, view, change, or delete data, or You can create new accounts in contexts that your permissions allow.”

The success of MS Office automation, productivity and features has led to the exploitation of a vulnerability (Follina) in an operating system tool used to diagnose problems. These two bundles are one of the reasons for the success of this attack and also a case study of potential future attack vectors.

But the Follina vulnerability is also the result of one flaw that pervades all computing devices and is particularly troubling to Microsoft Windows: administrative privileges. If administrator privileges or powers were not widely distributed or lenient, exploitation of vulnerabilities like Follina’s would likely be far less impactful and less of an administrator’s concern and action.

Practice of PoLP

But Folina is just the tip of the iceberg. According to BeyondTrust’s Microsoft Vulnerabilities Report, between 2015 and 2020, 75% of critical vulnerabilities could have been mitigated by removing administrator privileges.

Administrative privileges aren’t inherently bad. Problems arise when organizations fail or lack fine-grained control over administrator privileges. Back in the early versions of Windows with built-in networking, administrative privileges allowed users to do anything and access anything within the network. At the time, the operating system itself did not have built-in security to control granular access and provide role-based access and separation of duties.

At the time, most IT professionals simply gave everyone administrative rights to their local system. This was the easiest way to give everyone the different levels of access they needed for their jobs. The risks of provisioning blanket admin rights were not well understood and the basic ability to be a local admin was adopted almost everywhere.

Modern security teams know that most malware and attacks exploit privileges and user rights to gain the desired level of network access or achieve lateral movement. Once an application, malware, or user has administrative privileges, they can do virtually anything to the system. Administrative privileges have not yet evolved to be secure enough, so the most effective approach is to remove them wherever possible. That is, make everyone a standard user and treat tasks that require elevated privileges as exceptions instead of normal.

Privilege management tools help organizations remove over-provisioned or over-permissive user administrator rights and enforce true least privilege (necessary privileges and just-in-time access). Implementing the Principle of Least Privilege (PoLP) can provide an important cyber protection feature. This means that the attacker’s code will only run within the context of the targeted user, and poses far less risk to standard users without administrative privileges than to local admin users.

This represents the greatest strategic adjustment an organization can make when managing end-user Windows accounts to mitigate this persistent problem.

‘Windows Shop’ targets admin rights to de-risk your environment

Source link ‘Windows Shop’ targets admin rights to de-risk your environment

Back to top button