Investing in securing data at rest on servers, and over-the-wire encryption is vital, but unless the devices used to access data are also effectively secured, all other efforts might be in vain.
Many organizations consider their most important IT assets to be the servers that process the data that the business couldn’t operate without, employing sophisticated defenses to provide protection, including products such as LepideAuditor Suite. But ignoring basic best practices for end-user devices can leave servers and data at risk. The most important protections beyond antivirus and endpoint firewalls include:
- Least privilege accounts, where administrative rights are removed in favor of standard user accounts
- Application whitelisting
- Restricting the use of domain administrator accounts
Least Privileged User Accounts
Removing administrator rights from users can be difficult to achieve, but User Account Control (UAC) in Windows Vista (and later) makes it more realistic to run with standard user privileges, with each new version of Windows edging us a little further towards the standard user utopia.
Malicious processes run in the context of the logged in account, so if users have full administrative access, protections can be disabled. This leaves devices wide open to compromise, and any data handled by the device is exposed, because Group Policy, application control, antivirus and other defenses can be turned off or silently circumvented.
If your organization deploys a standard PC image, users with administrative privileges can modify system configuration from the get go, making it difficult to implement change control, and increasing the total cost of ownership because of reduced reliability and security that’s caused by unwanted change or malicious activity.
Microsoft’s Application Compatibility Toolkit (ACT), which is part of the Windows Assessment and Deployment Kit (ADK), enables administrators to resolve issues with legacy applications that might not be compatible with standard user accounts or UAC. There are also third-party privilege management solutions that elevate processes transparently to end-users according to policy set by IT.
Blocking untrusted applications is also key to securing data. Portable applications install without any special system access, so it’s not enough simply to remove administrative privileges. Application control can be configured to prevent other types of unsolicited executable from running, such as scripts and batch files, and malicious processes that might slip past antivirus.
As more organizations achieve least privilege on end user devices, hackers have adapted their techniques to ensure that malware can install without requiring administrative rights, which in the past had been a requirement.
Domain Administrator Accounts
The majority of everyday server administration tasks don’t require domain administrator privileges, and under no circumstances should domain administrator accounts be used to manage end-user devices. If a device is compromised where a domain administrator account has been used, you must consider your entire domain to also be compromised.
As devices that are used interactively for everyday computing tasks are more susceptible to malware, which can often be difficult to detect, it is best not to use domain administrator accounts to manage them. Once domain admin credentials are cached on a device, it’s possible that a compromised PC could expose usernames and passwords, allowing an attacker to quickly gain access to the entire network.