Business Issues Channels Enterprise Services SME Technology
Module Header
Craig WentworthMWD Advisors
Craig Wentworth
16th April - Egnyte the blue touchpaper...
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - Managed Print Services: Are SMBs Ready?
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - The Managed Print Services (MPS) Opportunity for SMBs
Simon HollowayThe Holloway Angle
Simon Holloway
11th April - Intellinote - capture anything!
David NorfolkThe Norfolk Punt
David Norfolk
11th April - On the road to Morocco

Blogs > Quocirca

Windows desktop admin rights - an open door for malware?
Bob Tarzey By: Bob Tarzey, Service Director, Quocirca
Published: 12th April 2012
Copyright Quocirca © 2012
Logo for Quocirca

Quocirca has written extensively about privileged user management over the years, including two research reports Conquering the sys-admin challenge in 2011 and Privileged user management – it’s time to take control in 2009. One of the dangers highlighted in both reports is that if privileged user accounts are compromised the results can be far more serious than when the same happens with the accounts of “normal” unprivileged users. Several vendors specialise in the management of privilege and sys-admin rights including CA, Cyber-Ark, Centrify, Lieberman Software, Quest Software, Thycotic and UK-based Osirium, which sponsored Quocirca’s most recent report.

It is odd then that many businesses leave “normal” users with full admin rights in one area; their Windows desktops. IT departments are prone to do this because it makes life easy as it means they are do not get constant user account control (UAC) requests to their helpdesks (to install Active-X components etc.) However, Windows desktops with full admin rights are a gift to malware writers. Once compromised it is far easier to recruit such PCs to botnets, install key-loggers or use them as a springboard to deeper penetration of an organisation’s infrastructure. The default position should be than no desktops runs with full admin rights and that such rights should only be granted for limited periods of time and to enable certain tasks.

This has led to the emergence of a second group of privilege management vendors whose main focus is to get the problem of Windows desktop admin under control. They enable automated granting of admin rights based on predefined policies, which can apply to applications as well as users. This helps minimising the number of UAC requests as when a user needs to install or update a commonly use application their privilege level can be temporarily elevated. Most of the vendors above do not address these specific issues and are therefore partnering in this area. Quocirca has been speaking to two of these vendors recently.

First is Avecto, a UK-based vendor that is doing half its business in North America. Its product is called Privilege Guard and it has a partnership with Cyber-Ark. Its focus to date has largely been selling direct to large enterprises where it links in with Active Directory and its Group Policy engine. However, it can also now link in with McAfee’s ePolicy Orchestrator (ePO), creating a partnership which Avecto sees as key to building a multi-tenancy on-demand version of Privilege Guard that will open up the SMB market, where practices regarding management of Windows privilege tend to be at their worst.

Second is Viewfinity, an Israeli vendor, which has just opened its first European office in Amsterdam.  It already does 60% of its business via an on-demand platform; the other 40% being on-premise installs at large enterprises. It has partnerships with Lieberman Software, CA and is integrated with Microsoft Systems Centre Configuration Manager (SCCM) and, of course, Active Directory. Viewfinity has just released V4 of its product. It also has a free “Local Admin Discovery” tool, which allows you to find out for free just how widespread the allocation of admin rights is across your Windows desktop estate. The approach is a bit like those free malware detection tools that tell you of all the gremlins that are present on your PC but will not let you delete them until you cough up a fee (although Viewfinity should actually work!)

Regardless of the vendor selected (a third player is BeyondTrust), that may well be a price worth paying. At this level most malware is opportunist; it will seek out the most vulnerable and easiest to exploit PCs. Once malware has found its way on to a PC, finding full admin rights is a gift; an open invite to take full advantage of opportunities for data theft or deeper penetration into the infrastructure of the organisation that owns the device and thought it could trust it on its network.

As Quocirca research over the years has shown, there is much poor practice in businesses of all sizes when it comes to the management and privilege and sys-admin rights. Just as was stated in 2009 with regard the management of core it infrastructure, when it comes to user desktops, it is time to take control.


Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761