Least Privilege Enforcement
53% of inside data breaches in 2016 were attributed to privilege misuse
In 2006, The University of Texas Health Science Center at San Antonio established a policy prescribing the use of least privilege as it states under HOP Policy & Standard 5.8.8 to “establish restrictions on user accounts and access” and “account creation and authorization processes must be based on the principles of least privilege…”. Additionally, it also states under University of Texas System policy UTS 165 Standard 5 to “ensure that all administrative/special access accounts with elevated access to privileges on computers are used only for their intended administrative purpose…”.
Contrary to the policies, it has always been the shared sentiment of University departments that users were required to have full administrative privileges to their computers to minimize disruption and limit technical support consumption due to resource constraints. Although this may have been an effective practice to bolster efficiencies in the past, recent trends in University cybersecurity incidents suggest otherwise. Here is why:
|Malware infections per year||Time spent on remediation per incident||Total hours spent on remediation per year||Total spent on remediation per year (avg salary of $50K)||Total production hours lost|
As indicated, current University practices of privilege misuse are not just disruptive to the user, but represent a significant burden on operating expenses.
This growing trend in cybersecurity incidents is attributed to phishing emails containing ransomware. Ransomware is a malicious software that encrypts the data on a computer or mobile device until a sum of money or ransom is paid. These infections can originate from opening an email attachment or clicking on a link leading to a compromised web site. Once the user opens the file attachment or clicks on the link, ransomware will encrypt all files on the device, any attached drives, backup drives and potentially other computers on the network within minutes. Ransomware attacks are not only proliferating, they are becoming more sophisticated.
UT Health San Antonio proactively reduces the threat of Ransomware infections
There are many things the University is doing such as continuous training and awareness to educate users on the most current cyber threats and ensuring anti-malware is installed. In addition, IMS will also implement a solution called least privilege management that eliminates the risk of local users having administrator privileges on PC’s. Security analysts have discovered that running Windows under an account without administrative privileges could mitigate up to 94% of critical Microsoft vulnerabilities.
Of course, exceptions are expected to this fundamental practice. Although users should not be granted local administrator or “power user” privileges to their computers, certain applications may require elevated privileges to run. For example, users often need to install printers or authorized software, or to change network settings on their own machines. Removing these privileges will prevent users from performing these functions and may disrupt business processes and obstruct user productivity, and as a result can overburden the Service Desk with support calls. Sound familiar?
In an effort to address the potential repercussions of enforcing least privilege, Information Management and Services (IMS) is offering a free solution to University departments – the BeyondTrust PowerBroker for Windows. This solution will enable departments with technical and non-technical TSRs to scale back the use of administrative privileges methodically and systematically. This will ensure users will still be able to perform the same computing functions they are used to, though their administrative privileges have been scaled back. This will be achieved by granting the applications and functions that need to run as an administrator with elevated privileges instead of the user. This will bridge the gap between preserving user productivity while still mitigating the risks.
Frequently Asked Questions (FAQs)
- To whom does this apply?
This applies to standard users who currently have administrative privileges on their Windows domain computers.
- How do I know if I have administrative privileges on my computer?
- Open a command prompt
Windows 7 a. Click the Start button b. Type cmd in the box labeled Search programs and files and press Enter Windows 8/10 a. Right-click the Start button b. Click Run c. Type cmd and press Enter
- At the command prompt, type net localgroup administrators and press Enter
If you see your username in the Members column, you have administrative privileges. For example,
- What is the difference between the privileges of a standard level user and an administrative level user?
Standard level users can access email, browse the internet, and run programs that the account is authorized to access. Administrator level users can do everything standard level users can do as well as install software and configure computer and network settings.
- Why are standard user accounts more secure?
If a user is logged on with administrative rights, malicious software can take control of the affected system and infect other computers in the network. If a user is logged on with standard level privileges, malicious software will try to install or alter a system’s configuration but the system will require an administrator's ID and password for these actions to occur. Assuming that the user does not provide those credentials, the malicious activity cannot proceed any further.
- Administrative privileges have been removed from my computer; who do I contact for assistance if I'm prompted for an administrator username and password (Example: to install new software)?
Please contact your TSR for next steps. If you do not have a TSR for your department, please contact the IMS Service Desk at 210-567-7777.
- I don't know my TSR; what do I do?
Please reference the TSR listing to find your TSR. If you do not see a TSR for your department, please contact the IMS Service Desk at 210-567-7777.
- When I'm off campus can I still use the VPN and Remote Desktop without administrative privileges?
Yes, VPN and Remote Desktop can be accessed with standard level privileges.
- What if I need administrator level access?
Most users will only need standard level privileges to check email, browse the web, and run day-to-day applications to achieve their job duties. If administrator level privileges are needed to install software or change the settings on a system’s configuration, please contact your TSR or the IMS Service Desk at 210-567-7777. Those who are not technical TSRs or otherwise IT staff that need administrative privileges on a system will need to fill out an exemption request form and describe their business case with sufficient rationale.
- What is the name of the solution?
BeyondTrust PowerBroker for Windows (BT PBW) [Click here for more information]
- How can I take advantage of the solution?
- Select an option most fitting for your needs.
Option Use BT PBW Admin Responsibilities Use Case 1 Yes TSR Departments with technical TSRs or those with dedicated IT staff who will need the BT PBW solution to systematically remove standard users from the local administrator group. 2 Yes IMS Departments without technical TSRs who will need the BT PBW solution to systematically remove standard users from the local administrator group. 3 No N/A Departments who will not need a solution to systematically remove standard users from the local administrator group.
- Request licenses for your department computers.
- Select an option most fitting for your needs.
- What if I select option 3?
Selecting option 3 will NOT preclude your standard users from being removed from the local administrator’s group. Option 3 means that by default your department will lose administrative privileges for standard users, and your department will be opting out of using the BeyondTrust PowerBroker for Windows product – intended to remove local administrative privileges from standard users in a systematic manner.
- How do I request licenses?
Please email Dan Vidales at firstname.lastname@example.org
Use subject line: BT PBW License Request
Provide the following in the body of the email:
- Department Name:
- Licenses Needed (licensed per computer):
- Active Directory OU of your dept. (if applicable):
- How will the solution be deployed?
IMS will deploy the BT PBW client to all of the computers licensed under options 1 and 2. This will be performed either through Active Directory or Dell KACE.
- How will I enforce least privilege for my department?
- Select an option from TSR FAQ #2 appropriate to your department.
- Request licenses.
- Preserve or add users with justifiable needs to the local administrators' groups, such as technical TSRs required to support their computing environments.
- Remove standard users from the local administrators' groups on your Windows domain computers (IMS will assist you or will automate it for you).
- Depending on when the PC was last used, users will either have to log off and log back in or reboot their system for least privilege to take into effect.
- What dates do I need to be aware of? March 17, 2017: Windows domain users will be removed from local PC administrator groups. Technical support will be provided by TSR's and/or the IMS Service Desk.
- Will Technical TSRs be the only ones able to keep administrative privileges on computers?
No, although it is recommended that only technical TSRs or other IT staff be granted administrator privileges. Those who are not technical TSRs or otherwise IT staff will require a business case with sufficient rationale in order to justify keeping administrative privileges on a system. An exemption request form must be filled out and submitted to Information Security for approval.
- What do I need to do after I have requested my licenses?
IMS will be contacting each TSR to schedule a kick-off call to onboard each department opting to use the solution (options 1 and 2). Training will subsequently follow to ensure the TSRs who will be managing their own environments (option 1) through the BT PBW system are adequately trained on using the solution.