In today’s Windows environment, end users are accustomed to having local administrator privileges which allow them to download a variety of applications and potentially misconfigure their PCs. While standard wisdom may be to simply solve the problem by revoking local administrator rights on users’ systems, the reality is that this may not be an option at all organizations. And removing local admin rights doesn’t address applications such as Google Chrome or browser plug-ins for which admin access isn’t required.
Fortunately, there’s hope for IT administrators seeking to gain control over the Windows environment while still offering local admin rights to the user base – through application whitelisting. With application whitelisting, IT can gain power over what types of applications their users install and limit their access to under-the-hood controls that determine how well configured the machine remains.
6. Old OS - Older Windows OS require it for features to work
7. Old Software - Legacy software requires local admin to install or run
8.
9. Why Taking Away Local Admin Doesn’t Work Users and Senior Executives revolt Many programs won’t work without admin rights Prevents more legitimate uses than illegitimate The medicine can be worse than the disease Non-Admin users can still install software Doesn’t stop all malware In Many Cases, Doesn’t Lower Total Cost of Ownership 7
10. Doesn’t Stop All Malware Many programs, including thousands of malware programs, do not need local admin access to do their dirty work Many programs don’t require admin to install or operate For Example: Google Chrome browser Many Browser add-ons don’t require admin to install Many ActiveX controls don’t require admin Malware programs take advantage of existing, approved, installed programs (e.g. Adobe Reader, Flash, Java) Once approved program is exploited, the bad guy is free to expand influence - biggest hurdle is already passed 8
11. Doesn’t Stop All Malware Malware can do everything it needs to do without having local admin: Install malicious programs Infect files Be persistent through reboots Record keystrokes Steal passwords Crawl the network Once the bad guy is past the initial defenses, it’s game over Removing Local Admin is a binary defense 9
13. Rethinking Local Admin Access Traditional “all or nothing” approaches don’t work Impacts productivity Doesn’t reduce risk appreciably New approach needed Provides visibility and control without impacting productivity Prevents unwanted, unauthorized or malicious apps from executing 11
14. Reducing Local Admin Risk Action Example How Lumension Stops Application Control: Easy Lockdown Trust Engine Install Applications Change Configurations Remove Patches & Uninstall Software Defeat Security Tools Regedit / Command Denied Application: cmd.exe regedit.exe Control Panel – uninstall program Denied Application: control.exe Task Manager – kill process Denied Application: taskmgr.exe 12
27. How Whitelisting Helps Stop playing whack-a-mole Not binary Far more granular in providing or denying access Better control coverage Prevent unapproved applications from being installed or executed Regardless of whether they require local admin or not Prevent malicious executables from being initiated if an attacker gains initial access 14
28. Other Benefits of Whitelisting Easy to find out what your end-users are trying to execute Configurable reports and alerts Easy to allow or deny an application in an emergency, without giving end-user full access Whitelisting is the single best thing you can implement to prevent malware attacks and exploitations 15
44. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 info@lumension.com
Notas del editor
Note: The only two things malware can’t do without admin is 1) Hide as efficiently from anti-malware detectors, and 2) Modify the operating system. These are two big, good things, that not having local admin prevents...but can the bad guy still do all the bad things they want to the exploited end-user, absolutely, yes!
Many users in today’s organizations are “Local Admins”Legacy operating systems and software require users to have Local Admin accounts in order to install and run correctlyLocal Admins can make any changes they wish on their own machinesInstall & remove softwareChange configurationsKill processes to defeat security toolsRemoving “local admin” privileges for many organizations is not something that is fees able to do in the short-termThe resulting lack of control leads to increased Endpoint Risk and IT management overhead