Excessive access has been an acknowledged risk since the earliest days of distributed data-communication networks in the 1970s. One key way that some organizations attempt to ‘keep things moving’ is to grant administrative privileges to ranges of individuals & groups who may need some small subset of those permissions in the course of normal operations or in dealing with troubleshooting requests. In most situations, it would be possible to grant only those permissions required to perform truly required tasks. In the most of the rest of the situations, broader administrative access can be protected with strong two-factor authentication (which will resist many threats that depend upon stolen user credentials).
Constraining and/or hardening administrative access has also been one of the easier ways for large enterprises to materially reduce their attack surface which results in a lower overall risk profile.
A core risk management principle — ‘least privilege’ — reasons that users should be granted only enough rights to support performing the tasks required for their role, and no more.
This is not only a Windows issue, but Antone Gonsalves (CIO OnLine) passed along today that a review of Microsoft’s Windows vulnerabilities in 2013 (333, of which 147 ranked ‘critical’), showed that fully 60% of them would be mitigated by removing user’s admin rights. Gartner has also argued that 90% of security threats could be eliminited by removing user’s administrative permissions.
Hostile uses of malware and social engineering continue to advance. This results in increasing the gravity of Financial Services organization’s excessive administrative access issues. The key message is that the risks associated with malware infection could be materially-reduced if we tamped down granting of administrative privileges.
“Time to drop unnecessary admin privileges.” By Antone Gonsalves, 02-18-2014.
“Trends (and other things) Learned at the Gartner IAM Summit.” By Mark Weiner, 12-11-2014
Completosec on Risks of Malicious Code: