Least Privilege Practice Minus the User Drama? Yes, with Granular Rights and Self-Elevation
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
Users relish the sense of control that comes with being a local admin on their machine. Unfortunately, while full administrative rights are handy for changing the system clock and running specific applications, a user with elevated privileges can wreak havoc on your environment both through innocent actions (or intentionally).
If a user logs in with full admin rights, any programs they run, such as browsers, webinar software, or shady “movie players” also have full admin rights. This increases your attack surface and, consequently, your exploitable vulnerabilities.
If malware gets through, it can easily install itself and bypass your security software through file and registry changes. Then it will communicate to its masters through encrypted traffic, staying “low and slow” to avoid detection.
In most cases, your users have no clue what just happened and you won’t either until it’s too late.
How’s everyone else managing admin rights?
During presentations I usually poll to see who practices least privilege and who has users running around with full admin privilege. When it’s not an audience of AppSense customers (ahem) the group is usually split in half. People who have taken away admin rights invariably have disgruntled users and others are afraid to do so because they’re afraid they will have disgruntled users.
User experience matters.
Like all of us, your users are just trying to get their job done. They expect their desktops to be fast, responsive, and have the flexibility to run the the applications they need. Applications could be corporate approved, such as Microsoft Office or industry-specific programs. Or they could be ones not on IT’s radar, such as browser plug-ins or a mind-mapping tool.
Forrester Research conducts many studies in this space and all of them point to the strategic importance of user experience. Their surveys show that desktop projects will likely fail as a result of poor desktop experience. Their advice? Plan to deliver a good user experience at the beginning of any desktop project, or else it’ll come back to bite at the end. This paper surveyed VDI-focused desktop projects but the same applies to endpoint security projects.
It is possible to take away rights without losing user productivity.
Users are not unreasonable. They don’t necessarily demand full admin rights – they just want the tools and data they need to get their jobs done. If they do something out of the ordinary, they are typically forgiving of an extra step.
Users actually welcome this additional level of protection. They feel better knowing someone is helping protect them. They don’t always know what’s risky and can appreciate when a unusual behavior is flagged.
The proven approach.
The aforementioned study talked about the user needing to feel in control over their environment and not having to rely on IT. However, IT has to track and control what can be installed and what privileges that are granted.
So, where’s the balance? From my experience- granular privileges with self-service. Granular rights allow IT to ensure users aren’t running around with loaded guns, and self-service makes the user feel like they are in control.
Good solutions allow you to “watch” your environment for a period of time, at least two weeks, and determine who is using what privileges in your live environment. That should be used as the basis to determine who needs which rights. Our customers typically find that full admin rights can be shut off for 98%+ of their users. Users just wanted to change their time zones, connect to Starbucks Wi-Fi, and print at home. Having granular rights management allows IT to turn on or off very specific privileges.
Great solutions provide a policy layer around the context those rights are being used; ie., let Bassam work on that application at home but don’t let him print sensitive data, such as medical records.
The other half of the equation is user control. No matter how well you tune rights, users needs change over time. If they need to literally call IT, or worse are prevented from doing a critical work task, their experience will suffer greatly. If they are able help themselves, it’s a completely different experience.
Ideal systems should offer self-elevation for every possible request. Some situations may default to “no”. Such as “I want to open up port 9625 for file sharing” (anyone trying to do that knows why their is a policy in place to prevent you from doing it). Conversely, if a user wants to download an app from an approved vendor they should be automatically allowed to do so. If the app or vendor is unknown, there should be a mechanism for the user to request a one-time privilege and have the user be either automatically approved or proceed to an IT approval queue.
It’s the feeling of being in control that drives a positive user experience.
So where to now? If you haven’t yet, start moving towards a least privilege practice. Talk to others who’ve successfully made that transition. You can find a few here , and we’d be happy to make intros for you.
Once you get the internal buy-in (remember to get high-level support from your organization!) look at systems that offer granular privilege with self-elevation. I truly believe we offer the best solution, but by all means do whatever it takes to remove full admin rights from the majority of your desktops.
P.S. We’re running a series of security webinars, all related to maintaining user productivity while protecting. These will be “intimate” product demonstration webinars and there’ll be plenty of opportunities to ask questions.