- Database and Business Intelligence
- Desktop Management
- Disaster Recovery and High Availability
- Enterprise Application Development
- Identity Management
- IT Automation and Service Management
- IT Management
- IT Monitoring
- Messaging
- Networking
- Security and Compliance
- Storage Management
- Unified Communications
- Virtualization and Application Deployment
- Windows Administration
-
NEED HELP?
-
Visit our FAQ if you run into problems downloading our eBooks. If you are wondering why all of the chapters aren't available for some of the eBooks, we'll explain it here!
-
PAGE FEEDBACK
- Having a problem with this page? Please let us know!
by Greg Shields
Making the decision to eliminate administrator privileges seems like a technically defensible goal. The first article of this series has already discussed the recent report that shows how “removing administrator rights will better protect companies against the exploitation of:
- 90% of critical Windows 7 vulnerabilities reported to date
- 100% of Microsoft Office vulnerabilities reported in 2009
- 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009
- 64% of all Microsoft vulnerabilities reported in 2009″ (Source: http://www.beyondtrust.com/company/pr/2010/2010_03_29_Windows_7_Vulnerabilities_Mitigated_by_Eliminating_Admin_Rights.asp)
These technical reasons should be enough for our organizations to see the value in reducing the spread of privileges or eliminating them altogether. But, as we all know, the technical reasons for doing a thing are not always aligned with the business culture’s desire to change.
For situations like this, sometimes regulatory compliance can come to our aid. Although we the technologists and implementers of IT technology often find regulatory compliance a hindrance to accomplishing the tasks we need, sometimes those same business requirements can assist us with solving the problems we need to solve.
This is particularly the case with eliminating administrator privileges. You’ll discover that the rules of regulatory compliance are on your side when it comes to moving your business to a more secure operating environment.
For example, consider the following compliance regulations and how they can have an impact on moving your environment away from the spread of administrative privileges:
- Federal Desktop Core Configuration (FDCC). Desktops that work within federal government spaces are generally required to follow the guidelines laid out in the FDCC. Highly specific in the guidance it mandates for desktop settings, the FDCC effectively restricts all forms of administrative privileges to those with a specific requirement to have them. If your organization falls under the rules of FDCC, you likely are already or will soon be looking for ways to remove those privileges from your standard users.
- Sarbanes-Oxley. SOX includes four sections that relate to the practices of IT operations. These sections generally relate to the requirement to prove that only the right people have access to the right data, and that specific types of data cannot be altered. Because administrators have a greater ability to get around common controls for the protection of data, eliminating those whose job role does not require this access goes far into ensuring SOX compliance.
- The Payment Card Industry Data Security Standard. PCI DSS includes a number of highly-specific requirements for the protection of payment card data, the systems that contain that data, and the systems that interconnect with those systems. Accomplishing its goals of data protection can be well-served by limiting administrator rights to only those individuals whose job requires them for accomplishing tasks. Also required by this regulation is a process whereby activities of users and administrators are tracked into a database that is protected against deletion. This process can be greatly served by restricting administrator access to those systems that come in contact with payment card data.
- The Health Insurance Portability and Accountability Act. HIPAA was designed to, among other things, establish a set of standards for the protection of electronic patient health information. This information, which provides details about individual patients and their medical history, must be protected in very specific ways to ensure that it is not inadvertently disclosed to inappropriate parties. One of the problems with patient health data, particularly in comparison with the other industries in this list, is that this data is needed to be viewed by many individuals in many locations. Your doctor(s), nurse(s), and in some cases even the administrative individuals that work with such records require access, often in more than one location. Securing that data is therefore exceptionally important. One mechanism to secure that data, and to secure the ability to cover a would-be attacker’s tracks, is through the elimination of administrative rights.
- The Gramm-Leach Bliley Financial Services Modernization Act. GLBA includes language that instructs financial services institutions on how to deal with customer data and information. GLBA’s Financial Privacy and Safeguards rules require financial services institutions to incorporate safeguards that protect this information from accidental or malicious disclosure. As with patient health information that falls under HIPAA’s guidance, this information can be consumed by many individuals in many locations. Thus, best protecting it involves ensuring that those consumers have the least privileges necessary to accomplish their jobs.
Each of these legal requirements augments your security rationale for determining the value in eliminating administrator rights in your organization. You’ll first go far in ensuring the safety and security of your core operating environment through the reduction in attack surface area for potential exploits. You’ll also protect your business’ critical data against the bad guys who would exploit it as well as the good guys who would accidentally surface it to the wrong individuals.
About the Author
Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.
If you found this tip helpful, consider downloading the following book:
 |
Follow Realtime on Twitter
Watch Realtime on YouTube
Add the Realtime RSS FeedSign up for our Realtime Nexus newsletters and book alerts and discover when new books on your favorite IT topics are available!
- © 2012 Realtime Publishers
- // Google Analytics Tracking