Article by Scott Hesford, BeyondTrust’s Director of Solutions Engineering for Asia-Pacific and Japan.
Microsoft Windows has a clear market advantage when it comes to computing. No other vendor has produced a successful server and desktop operating system pair that excels in compatibility, authentication, productivity, and architecture. Unfortunately, he is a victim of his own success.
According to IDC, about four out of five desktop computers run Microsoft Windows, making the operating system a prime target for hackers. With more eyes on the prize, there are more opportunities to find loopholes leading to potential havoc for Windows customers. The “Windows shops” know the exercise all too well. The price of a fast pipeline of new features is a significant monthly patch cycle as well as semi-regular out-of-band patches to address the most urgent or critical vulnerabilities.
But patching is not always possible or desirable. This awareness alone causes organizations to consider other measures to mitigate vulnerabilities as part of a Windows risk reduction strategy. In addition, the computer world is changing. Organizations still want access to cutting-edge technology innovation – new products and features – to stay relevant or gain competitive advantage, but no longer see security as a barrier to the pace of innovation.
Security is now seen as an essential element to operationalize technology in a safe and responsible way. In a world where security threats are so pervasive, malicious, and demonstrably harmful to organizations, Windows Access Security — and innovative security — is more relevant than innovation alone.
The recent Follina vulnerability shows that Windows customers need to do more than rely on Endpoint Protection – whether modern, AI-based or more traditional approaches – to mitigate the risks associated with Windows vulnerabilities.
Follina is a zero-day remote code execution (RCE) vulnerability (CVE-2022-30190P) that was discovered in Microsoft Support Diagnostic Tool (MSDT). It allows an attacker to execute arbitrary code using a malicious Microsoft Office document and is most commonly exploited via phishing emails.
According to Microsoft, “An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the calling application. The attacker can then install programs, display, modify or delete data, or create new accounts within the framework authorized by the user’s rights.
The success of MS Office automation, productivity and functionality led to the exploitation of a vulnerability (Follina) in an operating system tool used to diagnose problems. Bringing the two together is one of the reasons for the success of this attack and a case study for potential future attack vectors.
But the Follina vulnerability is also the consequence of a flaw that infects all computer devices and which is particularly painful for Microsoft Windows: administrative privileges. If administrative rights or privileges weren’t as widely distributed or permissive, the impact of exploiting vulnerabilities like Follina could be much more contained and cause less concern or action from administrators.
But Follina is just the tip of the iceberg. Between 2015 and 2020, up to 75% of critical vulnerabilities could have been mitigated by removing administrator rights, according to BeyondTrust’s Microsoft Vulnerabilities Report.
Administrative privileges aren’t inherently a bad thing – the problem exists when organizations fail or are unable to enforce granular control over their administrative privileges. Going back to early versions of Windows with built-in networking, administrative rights allowed users to do and access anything on their networks. At the time, the operating system itself had no built-in security to control granular access and provide role-based access and segregation of duties.
At that time, most IT pros simply gave everyone administrative rights to their local system, as that was the easiest way to ensure that everyone had the different levels of access they needed to do his job. The risks of granting global admin rights were not well understood, and the basic feature of being a local admin was adopted almost everywhere.
Today, security teams know that the vast majority of malware and attacks exploit user privileges and rights to gain the necessary level of network access or achieve lateral movement. Once an app, malware, or user gets admin rights, they can effectively do anything on the system. As administrative rights have not yet evolved enough to be secure, the most efficient approach is to remove administrative rights wherever possible: make everyone a standard user and manage the tasks that require elevated privileges as an exception, not the norm.
Privilege management tools can help organizations remove administrative privileges from overprovisioned or overly permissive users and enforce true least privilege (just enough privilege plus just-in-time access). Implementing the Principle of Least Privilege (PoLP) can provide significant cyber protection power. This means that an attacker’s code will only run in the context of the targeted user, posing much less risk to a standard user without administrative privileges than to a local administrator user.
This represents the single largest strategic adjustment an organization can make in managing Windows accounts for end users to mitigate this persistent issue.