Least Privilege Enforcement

53% of inside data breaches in 2016 were attributed to privilege misuse

(Verizon Data Breach Investigative Report, 2016)

In 2006, The University of Texas Health Science Center at San Antonio established a policy prescribing the use of least privilege as it states under HOP Policy & Standard 5.8.8 to “establish restrictions on user accounts and access” and “account creation and authorization processes must be based on the principles of least privilege…”. Additionally, it also states under University of Texas System policy UTS 165 Standard 5 to “ensure that all administrative/special access accounts with elevated access to privileges on computers are used only for their intended administrative purpose…”.

Contrary to the policies, it has always been the shared sentiment of University departments that users were required to have full administrative privileges to their computers to minimize disruption and limit technical support consumption due to resource constraints. Although this may have been an effective practice to bolster efficiencies in the past, recent trends in University cybersecurity incidents suggest otherwise. Here is why:

As indicated, current University practices of privilege misuse are not just disruptive to the user, but represent a significant burden on operating expenses.

This growing trend in cybersecurity incidents is attributed to phishing emails containing ransomware. Ransomware is a malicious software that encrypts the data on a computer or mobile device until a sum of money or ransom is paid. These infections can originate from opening an email attachment or clicking on a link leading to a compromised web site. Once the user opens the file attachment or clicks on the link, ransomware will encrypt all files on the device, any attached drives, backup drives and potentially other computers on the network within minutes. Ransomware attacks are not only proliferating, they are becoming more sophisticated.

UT Health San Antonio proactively reduces the threat of Ransomware infections

There are many things the University is doing such as continuous training and awareness to educate users on the most current cyber threats and ensuring anti-malware is installed. In addition, IMS will also implement a solution called least privilege management that eliminates the risk of local users having administrator privileges on PC’s. Security analysts have discovered that running Windows under an account without administrative privileges could mitigate up to 94% of critical Microsoft vulnerabilities.

Of course, exceptions are expected to this fundamental practice. Although users should not be granted local administrator or “power user” privileges to their computers, certain applications may require elevated privileges to run. For example, users often need to install printers or authorized software, or to change network settings on their own machines. Removing these privileges will prevent users from performing these functions and may disrupt business processes and obstruct user productivity, and as a result can overburden the Service Desk with support calls. Sound familiar?

In an effort to address the potential repercussions of enforcing least privilege, Information Management and Services (IMS) is offering a free solution to University departments – the BeyondTrust PowerBroker for Windows. This solution will enable departments to scale back the use of administrative privileges methodically and systematically. This will ensure users will still be able to perform the same computing functions they are used to, though their administrative privileges have been scaled back. This will be achieved by granting the applications and functions that need to run as an administrator with elevated privileges instead of the user. This will bridge the gap between preserving user productivity while still mitigating the risks.

Frequently Asked Questions (FAQs)

General FAQs

1. To whom does this apply?
   This applies to standard users who currently have administrative privileges on their Windows domain computers.
2. How do I know if I have administrative privileges on my computer?
   1. Open a command prompt

2. At the command prompt, type net localgroup administrators and press Enter
   If you see your username in the Members column, you have administrative privileges.
   For example,
   smithj
   UTHSCSA\smithj

3. What is the difference between the privileges of a standard level user and an administrative level user?
Standard level users can access email, browse the internet, and run programs that the account is authorized to access. Administrator level users can do everything standard level users can do as well as install software and configure computer and network settings.

4. Why are standard user accounts more secure?
If a user is logged on with administrative rights, malicious software can take control of the affected system and infect other computers in the network. If a user is logged on with standard level privileges, malicious software will try to install or alter a system’s configuration but the system will require an administrator’s ID and password for these actions to occur. Assuming that the user does not provide those credentials, the malicious activity cannot proceed any further.

5. Administrative privileges have been removed from my computer; who do I contact for assistance if I’m prompted for an administrator username and password (Example: to install new software)?
Please contact the IMS Service Desk at 210-567-7777.

6. When I’m off campus can I still use the VPN and Remote Desktop without administrative privileges?
Yes, VPN and Remote Desktop can be accessed with standard level privileges.

7. What if I need administrator level access?
Most users will only need standard level privileges to check email, browse the web, and run day-to-day applications to achieve their job duties. If administrator level privileges are needed to install software or change the settings on a system’s configuration, please contact your IT Partner or the IMS Service Desk at 210-567-7777. Those who are not IT staff that need administrative privileges on a system will need to fill out an exemption request form and describe their business case with sufficient rationale.

Solution FAQs

1. What is the name of the solution?
   BeyondTrust PowerBroker for Windows (BT PBW) [Click here for more information]
2. How can I take advantage of the solution?
   1. Select an option most fitting for your needs.

2. Request licenses for your department computers.

3. What if I select option 3?
Selecting option 3 will NOT preclude your standard users from being removed from the local administrator’s group. Option 3 means that by default your department will lose administrative privileges for standard users, and your department will be opting out of using the BeyondTrust PowerBroker for Windows product – intended to remove local administrative privileges from standard users in a systematic manner.

4. How do I request licenses?
Please email Dan Vidales atvidalesd@uthscsa.edu
Use subject line: BT PBW License Request
Provide the following in the body of the email:

1. 1. Department Name:
   2. Licenses Needed (licensed per computer):
   3. Active Directory OU of your dept. (if applicable):

5. How will the solution be deployed?
IMS will deploy the BT PBW client to all of the computers licensed under option 1. This will be performed either through IT management tools.

6. How will I enforce least privilege for my department?

1. 1. Select an option from General FAQ appropriate to your department.
   2. Request licenses.
   3. Depending on when the PC was last used, users will either have to log off and log back in or reboot their system for least privilege to take into effect.

7. What dates do I need to be aware of? March 17, 2017: Windows domain users will be removed from local PC administrator groups. Technical support will be provided the IMS Service Desk.

Frequently Asked Questions (FAQs)