Friday, May 1, 2009

Controlling Local Administrators is Only Part of The Puzzle

Daniel Petri, who I respect greatly, posted a very good article on restricting membership to local Administrators groups on computers. The article is indeed worth reading and strongly recommended, but after reading it, I felt it was really a piece within a larger puzzle of a broader, holistic approach to solving a problem.

The problem is keeping control while not hindering productivity. As with any security review, you need to weigh the threats against your exposure to risk, as well as balancing constraints with flexibility.

Technically speaking, how many ways are available to an administrator to restrict membership within local user groups on each computer?
  • Group Policy / Restricted Groups
  • Start-Up Scripts
  • Third-Party (i.e. retail) Products
But these are only a partial solution.  In addition to these, you also need to consider the following:
  • Employee Conduct Policies
  • Security Restrictions on User Accounts
  • Password Policies
  • Hardware Management Policies (laptops, removable devices, install drivers)
  • Applications Compatability (do they work without having Admin rights?)
  • Driver Compatability (does the device work without having Admin rights?)
  • BIOS configuration settings (bootable devices, boot order, CMOS passwords)
But wait! That's not all! If you work with sensitive information, or information which is considered to be one of your business assets, you need to add a significant "weight" factor to each aspect being considered.  Personal information (SSN, birth dates, account numbers, passwords, etc.), client records, client billing information, purchase and order management systems, defense-related information, and so on.

Depending on how critical your information is to protect, you may need more extreme tools and procedures to secure it.  Biometrics, encryption, monitoring and reporting, are all tools that may come into play.  Or maybe not.

articles supposedly describes an "unfixable" vulnerability with Windows 7 whereby a "hacker" (I hate that misused term by the way) inserts a bootable USB device to commandeer the computer and do ugly things to it.  But ANY computer is vulnerable to threats like this if the "hacker" can put their hands directly on it and be able to insert any removable media devices.  That claim is complete bullshit and designed to freak out the ill-informed and timid among us.  If I can put my hands on any one of your computers, you have MUCH bigger problems to worry about than anything else!  Step 1 - protect your computers, physically and virtually.

If I can put my hands on any one of your computers, you have MUCH bigger problems to worry about...

What I'm getting at here is that you might solve one problem, such as local Administrators group membership control, but overlook a much bigger or broader problem (or set of problems) and end up solving nothing at all.  For example, Daniel provides a scenario where an unscrupulous or disgruntled person could install a key-logger and lay the foundation for a sinister bait-and-switch trick to gain access to more privileged accounts on your network.  But how does the user install the key-logger?  Do they have local Administrator rights already?  Do they have the ability to install software or insert bootable media?  

You can mitigate "most" threats with some common sense planning, testing and implementation.  But the biggest variable is the human aspect.  While you can't know what's going on in someone's head, you also have to be careful not to get paranoid and start treating your employees like they can't be trusted.  Such actions can create unintended reactions.  I've seen it happen firsthand.  If you rationalize things in a group of well-informed people, who study the environment, the technology, you help ensure you make smart decisions as a group.  Reading an article on a blog is not "well-informed", it's just reading an article.  Text books, journals, magazine articles, vendor white papers and knowledge/support articles are all tools you need to consume in order to stay abreast of your technical world.
Post a Comment