Tuesday, February 21, 2006

Not running as an administrator

I was IMing back and forth with a friend who is still in school. He was looking for a topic for a infosec related class so I pointed him toward LUA--Least-privileged User Account. He liked it so today, we were chatting again about the topic and how to quantify it. Below is my side of the conversation where he first asked if we had graphs or similar regarind the compromise resulting from administrators not enforcing LUA in their dept.

- We can't quantify it that well because the attacks are user initiated and not network initiated like an IDS would normally pick up.

- There are vulnerabilities that exist in Web browser, e-mail clients, RSS readers and IM clients that can be exploited simply by the user opening a link, reading an e-mail or accepting an IM. If the user does not have administrator privileges, the damage caused by those vulnerabilities exploited is greatly contained to just their user account. It is much easier to recreate a user account than to rebuild a system.

- Services are a completely separate issue. A user logged in usually does not interact directly with services running on their computer. The services start up automatically in as SYSTEM or some other user and work independently of the user. Today's attacks are targeting client applications more and more. If you go back through the Microsoft vulnerabilities, you will see patches for things that exploit the system because of something the user does like opening a bad WMF file. There have not been many remote service exploits on Windows lately.

- For example, "To continue browsing this website, you must install this software. By doing so, you agree to....blah, blah, blah." Hmm. I don't need to read that crap. I just need to click yes so I can keep browsing.

Here is a great blog post that correlates how adware/spyware affected a system where a user was an administrate and then as LUA. I did this same testing when I was at IFAS with the same results. It isn't rocket science people. Get a clue!!

No comments: