CIO

Time to drop unnecessary admin privileges

Risk of malware infection could be severely reduced if companies weren't as generous with granting administrative privileges, says study

A new study shows that CSOs could dramatically lower the risk of malware infection by becoming a lot stingier with the number of company employees given administrator accounts on computers.

The study released Tuesday by enterprise security vendor Avecto indicates that it's time for CSOs to evaluate the use of admin privileges and restrict their use only when required for certain tasks.

"The principle of least privilege dictates that IT users should be granted just enough rights to allow them to effectively perform their role," Andrew Avanessian, vice president of Professional Services at Avecto, told CSOonline.

In general, an administrator account lets a computer user modify other accounts, install and delete software and files and change network settings. A hacker who successfully installs malware on a computer typically gets the same admin rights as the user.

The Avecto study shows that by simply restricting users of desktops and laptops to standard accounts when nothing more is needed can significantly reduce the risk of malware infection. Hackers who gain access to a standard account would have to find a way to escalate the privilege.

"Deploying standard user desktops as part of a proactive defense-in-depth strategy, including application control and regular patching of the OS and vulnerable applications, helps to significantly reduce the threat of modern security threats," Avanessian said. "With least privilege, organizations of any size can strike the perfect balance of security and empowerment, without compromise."

The study took a look at the software vulnerabilities Microsoft reported in 2013 and found that more than nine in 10 rated as "critical" could have been mitigated by removing administrator rights. That number held true with such vulnerabilities found in Windows, Internet Explorer and Office.

Microsoft published a total of 333 vulnerabilities affecting PCs in 2013 with 147 critical. Removing admin rights would have mitigated 60 percent of the total number of vulnerabilities, according to Avecto.

For Windows Server, a total of 252 vulnerabilities were reported with 136 critical. Fully, 96 percent of the latter could have been mitigated by removing admin rights.

Most home computer users and many users of business computers have unnecessary admin privileges, experts say. Limiting user access on Windows XP was difficult, so seldom used. However, features added to Vista, 7 and 8 make restricting access more practical.

Even when a person is the sole user of a computer, he should use the system as a standard accountholder, switching to administrator privileges only when necessary to perform a particular task. The latter account should also be protected with a strong password.

Avecto, which has built a business around Windows privilege management, is providing the study at no charge, but requires people to give their name, email and business and company phone numbers.