SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
‘Windows shops’ target admin rights to de-risk their environments
Wed, 17th Aug 2022
FYI, this story is more than a year old

Microsoft Windows has a clear market advantage when it comes to IT. No other vendor has produced a successful server and desktop operating system pair that excels in compatibility, authentication, productivity, and architecture. Unfortunately, it is a victim of its own success.

According to IDC, approximately four in every five desktops run Microsoft Windows, making the operating system a prime target for hackers. With more eyes on the prize comes more opportunities to find flaws leading to potential havoc for Windows' customers. ‘Windows shops' know the drill all too well. The price for a rapid pipeline of new features is a sizable monthly patch cycle along with semi-regular out-of-band patches to address the most urgent or critical flaws.

But patching is not always possible, or desirable. That realisation alone is driving organisations to consider other measures to mitigate vulnerabilities as part of a Windows risk reduction strategy. Additionally, the IT world is changing. Organisations still want access to bleeding edge technology innovation - new products and features - to stay relevant or gain a competitive edge but no longer view security as a hindrance to the pace of innovation.

Security is now viewed as a critical input to operationalise technology safely and responsibly. In a world where security threats are so rampant, malicious, and conspicuously detrimental to organisations, Windows access security - and innovative security - is more relevant than innovation alone.

Follina's curse

The recent Follina vulnerability shows that Windows customers need to do more than rely on Endpoint Protection – whether modern, AI-powered or more traditional approaches – in order to mitigate the risks associated with Windows vulnerabilities.

Follina is a zero-day remote code execution (RCE) vulnerability (CVE-2022-30190P) that was discovered in the Microsoft Support Diagnostic Tool (MSDT). It allows an attacker to execute arbitrary code using a malicious Microsoft Office document and is most often exploited via phishing emails.

According to Microsoft, “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.

The success of automation, productivity, and features in MS Office has led to the exploitation of a vulnerability (Follina) in an operating system tool used to diagnose problems. The bundling of the two is one reason this attack is successful and a case study for potential future attack vectors.

But the Follina vulnerability is also a consequence of one flaw that infests all computing devices and is especially painful for Microsoft Windows: administrative privileges. Were administrative rights or privileges not as widely distributed or permissive, the impact from the exploitation of vulnerabilities like Follina could be far more contained, and provoke less worry or action from administrators.

Practising PoLP

But Follina is just the tip of the iceberg. Between 2015 and 2020, as many as 75% of critical vulnerabilities could have been mitigated by removing admin rights, according to BeyondTrust's Microsoft Vulnerabilities Report.

Administrative privileges are not inherently a bad thing – the problem exists where organisations fail or are unable, to enforce granular control over their admin privileges. Going back to the earliest versions of Windows with built-in networking, administrative rights allowed users to do and access anything within their networks. Back then, the operating system itself did not have security built-in to control granular access and provide role-based access and segregation of duties.

In those times, most IT professionals just gave everyone administrative rights to their local system because it was the easiest way to ensure everyone had the varying levels of access they needed to do their jobs. The risks of provisioning blanket admin rights were not well understood, and the basic feature of being a local administrator was adopted almost everywhere.

These days security teams know that the vast majority of malware and attacks exploit privilege and user rights to gain the necessary level of network access or achieve lateral movement. Once an application, malware, or user gains administrative rights, they can effectively do anything to the system. As administrative rights have not yet evolved enough to be secure, the most effective approach is to remove administrative rights everywhere possible: make everyone a standard user and handle tasks that require elevated privileges as an exception, not the norm.

Privilege management tools can assist organisations in removing over-provisioned or overly permissive user administrative privileges and enforcing true least privilege (just-enough privileges plus just-in-time access). Having the principle of least privilege (PoLP) in place can offer significant cyber-protection power. It means an attacker's code will only execute within the context of the targeted user, posing far less risk to a standard user without administrative privileges than it would to a local admin user.

This represents the biggest strategic adjustment an organisation can make in managing Windows accounts for end users to mitigate this persistent problem.