There are many things you simply would never do in the real world, such as giving every person in your street a key to your property? If you do, you'd be expected to live with the consequences. Yet, in the virtual world, all too often organizations are happy to hand over bunches of keys that open every sensitive file and exposes the softer underbelly of the network. Why do they do that?
Windows desktops with full admin rights, the technical equivalent of a skeleton key, are a gift to malware writers. For starters, malicious software is more effective when its payload runs with administrator rights because it does not need to find a security flaw to gain privileged access to the system. Add to this the human element, with users all too often unwittingly or even irresponsibly downloading applications that contain malware, and you've got significant problems in the corporate network.
Once malware finds its way on to a PC, full admin rights can open the door for data theft or even allow deeper penetration into the infrastructure, causing network outages.
A Virtual Solution to a Physical Problem?
Having recognized the risks introduced by these privileged accounts, many organizations are trying a virtual solution. However, all too often the actual risk is simply transferred. Here's a list of the common pitfalls:
Physical Desktop with a Virtual Machine Often considered the perfect option for users who require elevated status, such as developers and programmers. Users are given a physical desktop with a standard user account for 'riskier' activities such as email access and internet connection. In combination, they're then given a virtual machine that allows admin rights. The theory behind this option is that, if the virtual machine is 'broken' due to changes in configuration, etc., it can easily be reverted to a known good snapshot.
However, all too often the virtual machine does not have anti-virus protection, isn't included in regular patches and updates, and is connected to the network. As its operating system is unmanaged it is still vulnerable to the same malware security risks so does not decrease the attack vector on the endpoint. It actually increases it!
Virtual Applications In this option, organizations virtualize applications and then stream them down to the end point. While in some cases this does solve the problem, all too often companies fail to comprehend the complete picture. For example, if the application needs admin access to certain APIs at the end points, or to make configuration changes to certain protected areas of the operating system, then the application will still need admin rights even if it's running in its virtual bubble. Additionally, while they create virtual line of business applications, mobile workers may still need admin rights to connect to printers etc.
Virtual Desktops In this example, the windows desktop, applications and data are all transferred to a cloud-based (generally private cloud infrastructure) service that's accessible from any device, be it a pc, laptop, smartphone or even tablets. The user then has the freedom to choose what device to use, when and from where and can mix it up as their work style requires. However, contrary to popular belief, this virtual machine is no different to a physical desktop from a security standpoint and therefore admin rights pose all the same problems as they do back in the physical world.
While it's true that virtualization may provide flexibility and, in some circumstances, reduce total cost of ownership, from a security perspective the attack vector can be massively increased. Organizations should continue to adopt the principle of least privilege, even in a virtual environment:
- Users should still run with standard rights while individual applications are elevated based on policy settings
- Consider forcing a user to re-authenticate, perhaps providing a reason, before being allowed to run privileged applications
- Monitor the behaviour of applications and identify those that require elevated privileges and those operations that would fail to complete under a standard user account
- Applications should only be granted the privileges actually required to run correctly
- Audit all elevations capturing details of how the application was invoked and, where applicable, the policy that was applied
- In addition to controlling application privileges, it is also advisable to prevent applications from running in order to eliminate unauthorised applications
If you wouldn't do it in the physical world, then why would you do it virtually?