Businesses can mitigate most of Microsoft's critical vulnerabilities by simply eliminating users' administrative rights. According to an Avecto report, "Microsoft's 530 vulnerabilities were reported in 2016 with 36% (189) with a critical severity rating." Of these critical vulnerabilities, 94% were mitigated by the removal of administrator rights. "
According to James Maude, Senior Security Engineer, Avecto, for this report, Avecto classified a vulnerability as one that could mitigate by removing administrator rights if the phrase "Clients / users whose accounts are configured to have fewer user rights in the System could be less affected than users operating with administrative user rights "or" If the current user is connected with administrative user rights, an attacker could take control of an affected system "appeared in the executive summary of the bulletin for that vulnerability.
Knowing the nature of these critical vulnerabilities, arguments for and against the removal of administrator rights, and the simplest method for disabling large-scale administrative privileges can also mitigate most of Microsoft's serious vulnerabilities.
Microsoft Critical Vulnerabilities
Most of Microsoft's critical vulnerabilities in this investigation were holes in remote code execution on Microsoft products like the OS, the browser, or Microsoft Office. These flaws allow attackers to launch code silently when the user opens infected content, visits an infected site or, in some cases, only connects to the same network as the attacker, explains Maude.
"A phishing attack taking advantage of the vulnerability CVE-2016-3313, which Microsoft patched MS16-099 would be a good example," says Maude. This attack used an infected Microsoft Word document to initiate the execution of the invisible code.
Because the attack emanates from Microsoft Word, it runs in the user context. "If the user has administrator rights, the attacker can abuse these privileges by manipulating the security settings, infecting system files or throwing a pass to the hash attack to move laterally on the network," explains Maude.
In one step the hash attack, assuming an incorrect use of authentication protocols, the attacker can steal the static hash which represents a username and password and use it instead of clear text credentials. It is easier to simply steal the hash than to attempt brute-force password attacks, which may fail due to IP blocking policies that attempt high volumes of different passwords per minute. An attacker uses the hash to log on to systems and servers, allowing them to move sideways within the network while avoiding detection.
Arguments against removal of administrator rights
Having administrator rights allows individual users to update software immediately, adding new capabilities and maintaining current software so they can continue to work productively. "Many applications, basic system configurations and application upgrades require administrative rights to ensure proper operation," says Joseph Carson, chief scientific officer at Thycotic.
When companies that already allow the widespread use of management rights seek to eliminate those rights, it leads to major business disruptions and unhappy, unproductive employees, according to Carson. "Sometimes companies sacrifice security for the ease of use of the business and happy employees," says Carson.
Against those arguments
Software upgrades and new software installations fall under the authority of IT and security. Updates or changes must go through change management and pass the security tests and to make sure the changes do not break other applications where there are dependencies.
User-initiated software installations may also contain malware, including malicious programs that penetrate critical vulnerabilities from Microsoft. "Malware exploits administrator rights to change registry settings, install and run programs, and insert them into memory. Most malware are ineffective without these capabilities," said Daniel J. Desko, Senior Manager, Advisor Services. IT risks of Schneider Downs.
The removal of administrator rights is also a layer of protection against phishing attacks on users. "When we perform penetration testing, we often drop malware through phishing, which ultimately gives us a backdoor and a launch point