Least Privilege and the risks of admin rights explained
At REMC1 we recommend that our clients follow a policy of "Least Privilege" (not logging in with admin rights) when granting rights to users. The principle is simple, and the impact of applying it correctly greatly increases your security and reduces your risk. The principle states that all users should log on with a user account that has the absolute minimum permissions necessary to complete the current task and nothing more. Doing so provides protection against malicious code that often will often automatically run without user intervention when a website is visited. It also prevents malicious programs masquerading as legitimate software from accidentally being installed amongst many other attacks.
To explain further: Operating under a normal user account without admin credentials blocks 94% of Microsoft vulnerabilities. Malware and vulnerabilities are so clever that even tech savvy users can click on them. Antivirus is important but many recent studies find it effective in stopping only 30% of infections due to the ever changing malware variants. Caution is always appropriate but there is almost no way to avoid infection entirely especially when websites can get infected and load malware on your PC without any user interaction at all. The organizations that REMC1 supports which adhere to the industry standard best practice known as “least privileged access” have nearly eliminated their infection rate. Infections will spread through network shares to all PCs as well as destroying the infected PC so this is an important item to consider. When you factor in ransomware the risks are losing all of an organization’s data requiring a complete full restore to be done on multiple network servers. This will cause the loss of all work for the whole organization performed since the last backup. Restoring all data and fixing network services would likely take multiple days causing further disruption.
REMC1 Staff will do all we can to minimize impact
REMC1 will do all we can to help minimize the impact of member organizations who choose to adhere to the best practice least privilege model. Here are some items to keep in mind: Most applications and services are now online and in the cloud requiring no applications to be installed locally (Webmail, Google docs, Student Information Systems such as Powerschool and Skyward). Most other applications used are installed by default when the machines are deployed (Microsoft Office, Printers, Tools used in computer labs). REMC1 can push out almost any application from our Computer and software management system (KACE) or if needed remote into any PC and install software (rare).
Citations: Antivirus isnt enough: https://www.tripwire.com/state-of-security/latest-security-news/70-of-malware-infections-go-undetected-by-antivirus-software-study-says/
PDF Format:
94% of Microsoft Vulnerabilities are blocked by turning of admin rights: https://www.computerworld.com/article/3173246/security/94-of-microsoft-vulnerabilities-can-be-easily-mitigated.html
PDF Format:
Least Privilege (not using admin permissions) explained in detail: https://www.beyondtrust.com/blog/what-is-least-privilege/
PDF Format:
Abandoned. Seems too technical and doesnt spell out and underline the risks clear enough. Members need to know "How this affects them" in every way so they feel it is important.
A Guide for Best Practices
At REMC1 we recommend that our clients follow a policy of "Least Privilege" when granting rights to users. The principle is simple, and the impact of applying it correctly greatly increases your security and reduces your risk. The principle states that all users should log on with a user account that has the absolute minimum permissions necessary to complete the current task and nothing more. Doing so provides protection against malicious code, amongst other attacks. This principle applies to computers and the users of those computers.
The following excerpt is from the Microsoft Windows Security Resource Kit, first published in 2005:
"Always think of security in terms of granting the least amount of privileges required to carry out the task. If an application that has too many privileges should be compromised, the attacker might be able to expand the attack beyond what it would if the application had been under the least amount of privileges possible. For example, examine the consequences of a network administrator unwittingly opening an email attachment that launches a virus. If the administrator is logged on using the domain Administrator account, the virus will have Administrator privileges on all computers in the domain and thus unrestricted access to nearly all data on the network. If the administrator is logged on using a local Administrator account, the virus will have Administrator privileges on the local computer and thus would be able to access any data on the computer and install malicious software such as keystroke logging software on the computer. If the administrator is logged on using a normal user account, the virus will have access only to the administrator's data and will not be able to install malicious software. By using the least privileges necessary to read email, in this example, the potential scope of the compromise is greatly reduced."
REMC1 advises that all of our clients consider carefully whether users require administrative rights on their workstations, and if they do, a better approach may be to create a separate local account on the computer that is a member of the Administrators group. When users require elevation, they can present the credentials of that local account for elevation, but because the account is local, it cannot be used to compromise other computers or access domain resources. As with any local accounts, however, the credentials for the local privileged account should be unique; if you create a local account with the same credentials on multiple workstations, you expose the computers to pass-the-hash attacks.