A “Least Risk” Approach to Windows 7
Mark Austin, Avecto’s CTO, shares his best practice approach and advice to securing your Windows 7 environment
There have been many articles written discussing the risks posed by admin rights. This isn’t another one of those articles. If you don’t understand the risks, or even worse have decided to turn a blind eye, then there’s nothing in this text that is going to help you. Instead, this article assumes you not only understand, but are ready to tackle the problem. If you’re ready to create a ‘least risk’ Windows 7 desktop, let’s get started.
Balanced privileges
The biggest challenge of Windows 7 is that it’s all or nothing. You either have standard user rights or admin rights – there’s no middle ground and it’s virtually impossible to strike the perfect balance. The reality is that users with admin rights introduce unacceptable levels of risk. So, however daunting, the first thing you must do is revoke admin rights from users.
Step One: Revoke admin rights
That’s probably easier said than done in the majority of organisations, right? Do you know which of your users have admin rights? Even if you think you do, I would hazard a guess that there are more privileged users within your enterprise than you are actually aware of. The majority of organisations bestow admin rights on a case by case basis, and often under pressure to solve a problem, fail to maintain a perfect record and revoke every account when it is no longer needed. Microsoft offers a tool that can help:
Microsoft Baseline Security Analyzer (MBSA): a useful tool to highlight various potential security risks on your endpoints. In addition to scanning the endpoints and identifying potential security risks that may need remediation, it will also determine if there are more than two local admin accounts on an endpoint – a clear indicator that there are local admins on those devices that need to be revoked.
Of course, if that were all that’s needed, you’d be laughing – and I’d be out of a job!
Revoking admin rights is just the tip of the iceberg – there’s still the ongoing problem of why you gave admin rights in the first place.
Step Two: Forewarned is forearmed
You need to look at, and prepare for, what’s driving the need for admin rights in your organisation. By doing this you can develop strategies to overcome this ongoing requirement.
One place to start, is to look at how you will fix problem applications moving forward. Luckily, there are several approaches that you can use to tackle these issues:
Microsoft’s Application Compatibility Toolkit (ACT): this allows you to identify problems with particular applications and then create shims (a shim alters the behaviour of an application) to solve compatibility problems. ACT is not limited to fixing admin related problems, but it does have a few shims that solve common admin related issues, relating to the file system and registry. It’s not a fix for all programs, and can be quite difficult and time consuming to use, but it may give you some breathing space.
Relaxing file and registry permissions: while this can be done, and I’m sure there will be many of you guilty of this, it isn’t something I would recommend, and certainly not to excess. I suggest using the free Process Monitor tool from Microsoft TechNet to identify file and registry access problems. However, by relaxing permissions on certain files and registry settings you’re weakening the security of the build. It’s a bit like a knight taking his chain mail and cutting away sections so it doesn’t chafe!
Virtualizing applications: this is a fairly common trend, as virtualizing applications can provide many benefits. By virtualizing an application you may find that a problem application can now run under a standard user account, rather than requiring full admin rights, but this should only be considered as part of a broader project to virtualize applications, as it’s a big undertaking. Again, don’t expect it to solve all admin related issues, but it may fix some problem applications due to the virtualization of file and registry operations.
Windows XP mode in Windows 7: often considered a solution for compatibility problems that can’t be solved any other way, as some applications simply won’t run on Windows 7. The principle here is, although you’re running Windows 7, you’re also running a Windows XP operating system in a virtual machine that’s hidden away. Applications in the Windows XP environment can be integrated into the Windows 7 start menu. Any applications that are launched from Windows XP will appear on the Windows 7 desktop as seamless windows. However, there is a downside, in that you’re running another operating system, albeit in a virtual machine, so it will need antivirus, regular patching and any other endpoint security software that runs as part of your standard operating environment. Again, a big undertaking, so this should only be considered as a last resort and most applications that require admin rights on Windows 7 tend to require admin rights on Windows XP too.
Task Scheduler: this can be used to schedule tasks to run under the system account. It is limited, as any applications that run this way will not have access to the user’s context or profile settings. That said, it may be useful for privileged scripts that users need to run, where there is no interaction with the user once the application has been launched.
Even having gone through the approaches outlined above, the likelihood is there will still be applications that are causing you problems. It could be that you can’t fix some applications, or it may be that it’s too difficult, and in many cases the applications will simply require admin rights to run.
Step three: Bring in reinforcements
There will always be some tasks that users need to run that can’t be fixed without granting admin rights. However, as soon as you start temporarily granting admin rights, even to just one person, then you’re on a slippery slope back to the start of this article. Alternatively, technology could provide the answer.
There are solutions available that will allow you to set all your users up with standard user accounts, and elevate the individual applications and tasks that a user needs to perform their day to day role. If you do decide to explore this route you will need to consider how the solution is controlled and managed. For example, you will want a technology that is centrally managed, and so a solution that integrates seamlessly into Active Directory Group Policy provides a scalable, hierarchical, policy based solution with delegated administration.
A strong end user experience is also crucial when removing admin rights, and so the technology should provide a very flexible and fully customizable messaging capability, as clear communication can reduce or eliminate help desk calls and encourage user acceptance.
An additional benefit of using technology is in its ability to provide detailed audit trails, and if required, application forensics, so that you can understand the behaviour of privileged applications. This is especially relevant from a compliance perspective.
So, what do you think? It’s not going to be easy but, with a little determination, you can create the perfect balance – standard users that are able to function. Are you ready to take on the challenge and create a least risk Windows 7 desktop?
