Regulatory Compliance and Least Privilege Security

Transcription

1 Regulatory Compliance and Least Privilege Security Page 1 of 11

2 Contents Regulatory Compliance and Least Privilege Security 3 Whitepaper 4 About the author 4 Introduction 4 Risks associated with administrative access 6 Least privilege security 7 Privilege Guard Overview 7 Privilege Guard Benefits 8 Mapping regulatory compliance requirements 8 to least privilege security Payment Card Industry Data Security Standard 8 (PCI DSS) v 1.2 Government Connect (United Kingdom) 8 Implementing Least Privileged Security for 8 regulatory compliance Application Control 8 Avecto Privilege Guard 8 Conclusion 8 About Avecto 9 Page 2 of 11

3 This whitepaper discusses the concept of least privilege security for personal computers, why it s needed to meet requirements set out by regulatory bodies and how to overcome problems in its implementation. Regulatory Compliance and Least Privilege Security Whitepaper As the requirement to comply with industry and government regulations, such as PCI DSS and Government Connect (or FDDC in the States), becomes more established; securing data as it passes through personal computer systems is crucial to satisfy auditors, and ensure that security breaches don t result in expensive data loss. Russell Smith It s common practice for employees to log in to Windows PCs with administrative privileges to carry out everyday tasks, dramatically increasing the risk that malware, such as viruses and key loggers that steal passwords and sensitive information, can install without the user s knowledge. While it s often considered that antivirus software and firewalls provide enough protection to block malware on PCs, these solutions are regularly thwarted and are only effective if part of a defense-in-depth security strategy. This whitepaper discusses the concept of least privilege security for personal computers, why it s needed to meet requirements set out by regulatory bodies and how to overcome problems in its implementation. Author Russell Smith Dip HE, MCSE, MCP About the author Russell Smith is author of Least Privilege Security for Windows 7, Vista and XP published by PACKT, Contributing Editor for Microsoft Best Practices at CDW s Biztech Magazine and a regular contributor to leading industry journal Windows IT Professional. Russell holds a Dip HE from the University of London and is a Microsoft Certified Systems Engineer (MCSE). With over 10 years experience securing and managing Windows Server systems for Fortune Global 500 companies and SMEs, Russell is also an experienced trainer. You can contact Russell at rms@russell-smith.net. Page 3 of 11

4 Introduction When an employee logs in to a PC with administrative privileges, they can change system-wide settings that affect all users of the device and block management software, antivirus and policy settings. Russell Smith FDDC, PCI DSS, Government Connect, SOX and HIPAA are primarily intended to protect sensitive information from unauthorized access, uphold data integrity and prevent data leakage. A lot of attention is focused on securing assets in the data center; ensuring employees only have access to necessary files and server resources. In scenarios where terminal applications are deployed and data is never transferred from server to client, the risk of sensitive information being compromised is reduced. Many server applications require the transfer of data to client operating systems, whether installed on physical devices or as part of a Virtual Desktop Infrastructure (VDI). This enables offline access in the case of notebook computers or improves performance by utilizing the processing power of the client device. To comply with data protection mandates, it s essential to ensure that sensitive information stored on client devices cannot be compromised or accessed by unauthorized users. Risks associated with administrative access Organizations shouldn t rely on users to make decisions about PC security that can affect sensitive data and weaken the resilience of a network. Most users are neither qualified to make calls on PC security nor concerned about the wider implications a bad security choice may have on the company. PCs are an important part of information systems, and security decisions should be made by system administrators or dedicated security teams. When an employee logs in to a PC with administrative privileges, they can change system-wide settings that affect all users of the device and block management software, antivirus and policy settings configured by the IT department designed to protect the machine. Employees with administrative privileges can access the local data of other users of the PC, unless it is encrypted. The risk of critical Windows vulnerabilities being exploited is significantly increased if users log in with administrative accounts, removing an important layer of defense while updates are being tested for deployment. Programs that run on users desktops, started intentionally or not, do so with the same privileges as the logged in user. If the account has administrative privileges, malware has full access to data stored on the PC and the ability to modify the operating system for the purposes of disrupting normal operation (denial of service), attack other PCs and servers on the network or Page 4 of 11

5 steal information. Malware can run automatically without a user s knowledge, via Internet browser or other application exploits, and is often downloaded or started accidentally from removable media, such as CDs or USB drives. One infected PC can be enough to disrupt service for all devices connected to a network, and at worst, compromise servers and other PCs. Corporate Network Server Office worker 1 Malware evades antivirus and exploits user s privileges to infect PC. Corporate Firewall Internet Sensitive Documents Application Data Home 2 Sensitive server data is transferred to an internet bot without the user s knowledge. Antivirus Software Internet bot captures data as malware calls home. Home worker Network Traffic Passwords 1 2 Malware evades antivirus and exploits user s privileges to infect notebook. Data caches from the company server is transferred to an internet bot without the user s knowledge. Least privilege security Least privilege security is the act of granting users only the rights necessary to carry out their job. Least privileged user accounts, sometimes abbreviated to LUA or standard user account, help to mitigate the risks associated with administrative accounts, which are intended for use in scenarios where changes to critical system configuration need to be made. The use of LUAs not only decreases the risk of data loss and unauthorized access, but improves productivity and reduces costs through better manageability. While the Principle of Least Privilege Security has always been implemented in Unix-based operating systems, and to a certain extent on Windows Servers, early versions of Windows for home PCs didn t include any concept of security, and the absence of a built-in SU command (Switch User) in Windows NT, which allows users to conveniently change from one user account to another, meant that programmers adopted bad practice and developed applications that required administrative privileges to run. Page 5 of 11

6 More recent versions of Windows (Vista and Windows 7), include a set of technologies under the umbrella of User Account Control (UAC), and are designed to encourage the adoption of applications that work without the need for administrative privileges. The first user account created in Vista and Windows 7 is a Protected Administrator (PA). PAs run with standard user privileges unless consent is explicitly given by the user to grant a process administrative access to the system. The default UAC setting in Windows 7 allows certain built-in processes to silently elevate to administrative privileges without requiring consent. This functionality was added to appease complaints that UAC prompts appeared too frequently in Windows Vista. Protected Administrator accounts provide home users and small businesses with many of the benefits of true standard user accounts that in the past were only found in organizations with managed IT infrastructures. UAC is a user-driven technology and doesn t provide organizations with any means of dynamically assigning privileges to standard users without giving employees access to an administrator account. Mapping regulatory compliance requirements to least privilege security The most commonly implemented regulations can be divided into two categories: those that explicitly demand the use of least privilege security on PCs (PCI DSS, FDCC and Government Connect) and those that suggest it (SOX and HIPAA). In the latter case, auditors interpret the regulations as to require least privilege. Payment Card Industry Data Security Standard (PCI DSS) v 1.2 The current version of PCI DSS, for businesses that process or store credit card data, contains a directive in Requirement 7: Restrict access to cardholder data by business need to know that specifically requires the use of least privilege user accounts: Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities Assignment of privileges to individuals based on job classification and function. Federal Desktop Core Configuration (FDCC) Page 6 of 11

7 The US government s FDCC mandate states that federal employees must log in to PCs with standard user privileges. Government Connect (United Kingdom) The US government s FDCC mandate states that federal employees must log in to PCs with standard user privileges. Russell Smith Government Connect is a scheme that provides local authorities in the UK with secure and accredited connections to central government and other local authority networks via the Government Connect Secure Extranet (GCSX). The GCSX Connect Code of Connection (CoCo) is a list of security controls and is a mandatory requirement for connection to GCSX. CoCo is reassessed annually. 4.2 Configuration: The execution of unauthorized software is prevented. 4.3 Configuration: Organizations have in place a configuration control process which prevents unauthorized changes to the standard build of network devices and hosts (this includes both clients and servers) Protective Monitoring: Audit logs recording user activities, exceptions and information security events are available to be produced to assist in investigations and access control monitoring Web Enabled Applications: The web browser and other web-enabled applications, such as media players do not run in the context of a privileged user. Controls 4.2, 4.3 and 18.1 are impossible to enforce if users log in with administrative privileges. Additionally, if control 13.2 is fulfilled using the Windows Event Log, users with administrative rights could delete audit logs, wiping out evidence that might be used in investigations and monitoring. Sarbanes Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA) Due to the high-level nature of the SOX and HIPAA directives, COBIT (Control Objectives for Information and Related Technology) is generally used as the standard by which the technical aspects of the regulations are audited. DS 5.3 Identity Management - Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. DS 5.4 User Account Management - Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges. Page 7 of 11

8 DS 5.7 Protection of Security Technology - Make security-related technology resistant to tampering. DS 5.9 Malicious Software Prevention, Detection and Correction - Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam). Least privilege security can be used to achieve compliance of these four Deliver and Support (DS) controls. DS 5.3 talks about business needs, which rarely require users to have administrative access to PCs. DS 5.7 covers security-related technology, which includes antivirus software and event logs on PCs that can be tampered with if users have administrative privileges. Lastly, least privilege is an effective preventative measure that protects against malware. Implementing Least Privileged Security for regulatory compliance UAC in Vista and Windows 7 includes many improvements that make it easier to work without administrative privileges and helps overcome many of the problems faced when removing administrative privileges. Microsoft also has a free tool called the Application Compatibility Toolkit (ACT) that can be used to deploy fixes for applications not compatible with LUA. Though removing administrative privileges from users accounts is simple from a technical perspective, it can result in a series of problems: Applications that no longer start or don t function correctly. Users no longer able to install approved programs without intervention from the helpdesk. Users may not be able to install ActiveX controls or other internet browser plugins. Common configuration tasks, such as changing the time zone, may be blocked. Patches and updates must be provisioned using a software distribution system such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM). Devices that don t have drivers available on Windows Update or are not pre-staged by system administrators cannot be installed by standard users. Helpdesk staff may need additional training to support PCs where users log in with standard user accounts. Despite the enhancements brought by UAC, Windows XP is still widely deployed and was not designed with least privilege security in mind. UAC doesn t provide the flexibility and Page 8 of 11

9 agility required by many organizations to quickly respond to changing demands or afford practical working environments for anything more than basic scenarios. Application control Beyond removing administrative privileges from users, application whitelists determine which programs users are permitted to run. Applications not included on a whitelist are blocked. This greatly reduces the risk of malware or unauthorized programs running in the context of the user s account. The ability to whitelist approved applications is important, as traditional antivirus solutions prove less effective and malware evolves to target users without administrative privileges. Windows XP Professional and Vista (Business, Enterprise and Ultimate editions only) include Software Restriction Policies (SRP) that can block or allow programs identified by criteria such as file path or digital certificate. Windows 7 Professional (logging only), Enterprise and Ultimate editions have AppLocker, the replacement for SRP, and gives system administrators more control in the hope that the technology will see better uptake. Avecto Privilege Guard Privilege Guard enables standard users to run applications or processes with additional privileges as determined by a system administrator. Unlike UAC, onscreen prompts can be suppressed or customized, and a secondary account is not required. A client-side component, implemented as a user-mode service, and server-based Group Policy settings are used to assign processes extra privileges on-the-fly based on multiple criteria. System administrators can remove administrative rights from user accounts with confidence in the knowledge that should additional privileges be required, Privilege Guard provides the functionality to quickly and easily elevate privileges for specific processes by modifying the security token for the given process only. System administrators can control privileges assigned to the following objects: Executables Control Panel Applets Management Console (MMC) snap-ins Windows Installer Packages (.msi files) Windows Scripting Host (WSH), PowerShell scripts and batch (.bat) files Registry Editor (.reg) files ActiveX controls (matched by URL or CLSID) Page 9 of 11

10 Privilege Guard also provides system administrators with Application Templates that allow Windows functions to be quickly located and granted additional privileges as required. For example, you can give notebook users additional flexibility by allowing them to configure Clear Type using the built-in tuner or manage settings for offline files. With the help of Privilege Guard, system administrators can avoid many of the common issues involved when implementing least privilege security, ensuring that: Line-of-business applications continue to work correctly. Users can change configuration required for everyday tasks. ActiveX controls and approved software can be installed without helpdesk intervention Device Manager can be run to install device drivers. Notebook users can modify the time zone in Windows XP. System administrators can customize messages users see when a Privilege Guard policy is activated, optionally requiring the user to specify a reason for launching the process and/ or provide their password. Privilege Guard policy use is also recorded in the Windows Event Log as standard. Privilege Guard provides enterprises with a uniform system for application control across PCs running Windows XP and later, allowing administrators to define program whitelists from a central location. Conclusion Least privilege security is a critical component in any regulatory compliance project. Microsoft s efforts to reduce the reliance on administrative privileges and improve application compatibility with standard user accounts with User Account Control has been successful, put pain points still persist for organizations looking to remain flexible but remove administrative privileges from users. Restricting users privileges is an effective means of protecting PCs against malware, unwanted changes to standard system images and curbing software piracy. Efficiency gains and a reduction in helpdesk calls also help reduce IT costs and make organizations more competitive. Additional technologies compliment Microsoft s free tools to provide users with secure but flexible systems and help organizations achieve compliance without limiting productivity or the ability to respond quickly to changing business needs. Page 10 of 11

11 About Avecto Avecto is a pioneer in least privilege management, helping organizations to deploy secure and compliant desktops and servers. With its innovative Privilege Guard technology, organizations can now empower all Windows based desktop and server users with the privileges they require to perform their roles, without compromising the integrity and security of their systems. Customers of all sizes rely on Avecto to reduce operating expenses and strengthen security across their Windows based environments. Our mission is to enable our customers to lower operating costs and improve system security by implementing least privilege. Avecto is building a worldwide channel of partners and system integrators and is headquartered in Manchester, UK. For more information, visit Hobart House, 3 Oakwater Avenue, Cheadle Royal Business Park, Cheadle SK8 3SR United Kingdom T +44 (0) E Page 11 of 11