Least Priviledge in Windows

I went to a BeyondTrust demo in put on at Microsoft’s Herndon Virginia site.   Derek Melber a MVP in Group Policy spoke first on Least Privilege.   Derek described the need for and the realities of least privilege.

Microsoft recognizes that to help create a secure, auditable, and compliant enterprise environment, all users should be standard users and ideally not have administrative privileges or access to administrator passwords.” –Austin Wilson, Microsoft Windows Client Security product management director

A number of regulatory frameworks require or hint toward the removal of local administrator rights. 

FISMA 800-53 AC-6
Least Privilege—The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.

The Federal Desktop Core Config (FDCC ) mandates the restriction of administrator rights

HIPAA – removing admin rights is necessary to control access to healthcare related data.

PCI – need to know and role based access are required.

In spite of the regulary and customer requirements, management is often loath to remove administrator rights.  Obviously it would be a very unpopular move.   However it seems that when I’m talking to support myself or talking to people at other companies, many times they have implemented removal of administrator rights on a large percentage of computers.   I would love to see some trustworthy statistics broken down by industry on companies that have successfully removed administrator rights.

BeyondTrust’s product allows you to granularly provide the ability to perform certain actions without giving away the store.   I expect to write a bit more when I’ve had a chance to try out their product.

One Comment

  1. Roger,

    Thanks for the blog and “passing the torch” of information! Least Privilege is so important and when companies can solve it, the entire network becomes more stable and secure.
    Good luck with your BeyondTrust (www.beyondtrust.com) PowerBroker implementation and be sure to email me with any questions!

    For the rest of you, you can download a fully functional trial of PowerBroker at http://www.beyondtrust.com! I will be in many different cities, talking about PowerBroker and least privilege coming up. Please visit the BeyondTrust site for these seminars, as well as visit http://www.misti.com to see me at InfoSec World, where I am a chair and will be giving more demonstrations.

    Derek Melber, MVP

Comments are closed.