I have found that there is one question by which I judge the security competency of an IT department. I don't ask them about their certifications, budgets, firewalls or next-generation behavioral analysis tools. The reason I don't ask that is that none of these common tropes of information security programs can effectively mitigate the risks created by this simple security misconfiguration. So what is this one question that provides such insight into their information security competencies? I simply ask if all of their users have administrative rights to their workstations.
The plethora of excuses that I hear when an IT department has committed this onerous sin usually includes several common themes. They explain that their software requires administrative access and doesn't function without it. Others explain how much easier it is to let the users install their own software updates to applications when prompted, since the IT department won't have as much work to do if the users can install their own software.
Leave the excuses behind
There is some truth in these excuses. There are a few applications that do require administrative access to the workstation. These applications usually require direct access to hardware, and they don't utilize standard Windows APIs. Some examples of these types of applications include integrated custom CD/DVD burning tools or the evil curse of hardware license dongles. However, there are not enough of these exceptions to make administrative access the norm for all users in an organization; the risks are just too high.
Maintaining the security principle of least privilege can prevent the abuse of privileged user accounts. Learn about best practices for monitoring privileged access.
There is also truth in most IT departments being woefully under-resourced, and staff having to become "jacks of all trades and masters of none." The time it would take to work through each application and determine the appropriate security permissions is now a distant memory for IT.
System administration skills have lost their luster to the new app economy and DevOps style administration. Not only does no one have the time to configure security appropriately, they will actually be seen as roadblocks in the organization if they attempt to spend the time necessary to build a secure system. No one seems to realize that the time spent to securely configure a system will have the greatest ROI of any security investment the company can make.
Organizations that do allow all of their users to have administrative access to their Windows computers have made it much easier for their networks to be attacked. An attacker only has to get a victim to visit a webpage or open an attachment with a malicious payload. The payload can then install for all of the machine's users with the victim's elevated credentials. Antivirus software can then be disabled to allow for the use of more common tools for further attacks. Event log entries can be cleared to cover the tracks of the attacker and to prevent discovery.
The biggest issue that most organizations do not realize is that, in the event of such an attack, the attacker would then also have access to all of the credentials stored on the hacked machine. Tools like mimikatz can be used to pull these passwords directly from system memory. Complex, 27-character passwords will then be rendered useless. Even the old tool from the 1990s, Cain & Abel, can still be used to extract credentials from a Windows PC.
The PC technicians that originally configured the system have cached credentials stored locally that can be accessed and cracked. Service accounts running on the PC will be vulnerable to these attacks, as well. Using these credentials, the attacker can access all of the computers on the network and can easily move horizontally with valid logins, making detection nearly impossible. They can easily move from using these techniques to access one PC to acquiring Domain Admin access to the network. This is when the expensive data breach becomes inevitable.
Defend your organization against exposure
The best defense against these attacks is to reduce your exposure by severely limiting administrative access. Make the attacker work at elevating their privileges on a workstation, as you might just catch them when they do.
Most applications that require administrative access only need access to the "C:\Program Files" directory or one of the system directories under "C:\Windows." They might also need the ability to write to areas of the registry outside of the user profile, such as "HKLM." Free tools like Process Explorer and Process Monitor from Microsoft Sysinternals can be invaluable for finding these permissions issues in both the registry and the file system.
However, these tools will be useless without investing the time required to get them configured. IT staff can work with management to show them how properly managed machines can reduce the overall costs of supporting their technology infrastructure. Most organizations will understand and respond better to cost reductions than risk mitigation techniques. If all of this fails, it might be time to perform a demonstration for management using mimikatz or a similar tool to dump all of the credentials from a test computer. If that doesn't grab their attention, nothing will.
Test your knowledge of privileged user management with this quiz
Learn how to limit privileged accounts and boost security
Find out how to alleviate the threat of privileged users