Defang WannaCry and other threats by layering least privilege into your endpoint security strategy

 After a decade of working in the regulated banking and finance industry, I now spend my days helping Quest customers improve their layered defense strategies. Unfortunately, eight out of ten of the customers I talk with heavily favor patching over other important layers of security. Patching is just one piece in an overall strategy for defending your network and endpoints.

Another critical piece of a robust defense is to ensure that users have only the privileges and permissions they need to do their jobs — that is, to implement a least-privilege model. Consider the set of recommendations that the United States Computer Emergency Readiness team (US-CERT) recently issued to help organizations prevent damage from the recent WannaCry ransomware attacks; although the first item on their ransomware protection list is to apply a Microsoft software patch, the list also features this advice–:

Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.

— US-CERT: Alert TA17-132A, Indicators Associated with WannaCry Ransomware

By limiting each user’s access to resources in accordance with least privilege, you can limit the power of malware such as WannaCry to steal or damage your network assets. Quest Desktop Authority Management Suite, which includes Privilege Manager for Windows, can help you implement this best practice to better secure your endpoints against malware attack — without the drawbacks you might be concerned about. Let’s see how.

Limit privilege without hurting productivity

Administrators are rightfully concerned that removing privilege from users will prevent those users from getting their work done, which in turn will lead to a service desk crisis. And in fact, using the native User Account Control (UAC) the way Microsoft designed it is likely to create an outcry from users and management alike.

Privilege Manager for Windows, on the other hand, can audit processes on users’ machines and report on programs, processes, ActiveX controls and user-run scripts that would break if user privileges were summarily removed. With that information, you can implement policies that will elevate the privilege of the executables, so you can reduce users’ privileges without hurting productivity. Limiting the user to local admin privileges will reduce the ability of an infected machine to infect other machines on the network. Privilege Manager for Windows even enforces blacklisting of processes, so you can prevent the installation of malware, bloatware and other damaging or non-essential software in the first place.

If users need more privileges than they have been assigned, Privilege Manager for Windows provides two options. You can enable the Self Service policy, which notifies users if the program they are trying to run requires additional privileges, prompts them to provide a justification and submits the request for review, either by email or through your service desk queue. Alternatively, you can use the Instant Elevation policy, which also warns users if a program requires elevated privileges, but then empowers them to choose run it instead of requiring an approval workflow. Both methods provide monitoring, and scheduled reports showing all elevation activity are sent via email to designated staff, providing an audit trail. Privilege Manager for Windows also enables you to easily find all users or groups in the local administrator group of any domain-joined machine, and provide a simple privilege removal process once you have all your policies in place.

Further secure your environment

The broader Desktop Authority solution offers additional functionality that can help you secure your user workspace environment.

  • USB port security — Users can, accidentally or deliberately, introduce malware, TOR executables and other threats into your environment simply by inserting a USB drive. Desktop Authority offers flexible policies coupled with patented Validation Logic that enable to control who can use USB memory devices. By implementing these policies, disabling autorun and following the least-privilege principle can greatly reduce security risks and prevent ransomware from being introduced to your network.
  • Local group management — Desktop Authority also provides policies to add and remove users from local groups on machines, as well as to change local account passwords on a schedule.
  • Granular control, even in virtualized environments — Desktop Authority works on embedded Windows operating systems, as well as virtualized user environments like Citrix, VMware and Remote Desktop Service. You can manage file permissions and user environment variables in very granular ways to structure strong protection on these virtual machines.
  • Flexible browser security enforcement — Given that users are opting for Google Chrome and Firefox as their browsers of choice, control over security settings is of great importance. Desktop Authority gives you the flexible control you need.

With malware attacks becoming more sophisticated and frequent every day, we cybersecurity professionals need the best tools we can find. Fortunately, adding new layers of defense for our endpoints does not have to be painful or overly complicated. Desktop Authority and Privilege Manager for Windows are great examples of strong yet flexible solutions for defending against malware that preys on users with too much privilege on their machines. I encourage those of you looking to bolster this aspect of your security to contact our sales team and start a discussion about the protections our solutions offer.

See what's new

About the Author
Jason Morano
Kace Sales Engineer, Covering the following products; Kace Systems Management Appliance, Kace Systems Deployment Appliance, Desktop Authority, and Privilege Manager.