Microsoft’s Security Intelligence Report Volume 12, released earlier this week discusses the continuing challenges of the Conficker worm in enterprises. Conficker came about in later 2008 and continues to plague Windows systems despite patches for the originally exploited vulnerability being available for over 3 years. Conficker continues to spread via one of two methods: exploiting weak passwords or unpatched systems and according to Microsoft’s Tim Rains, in an article by eWeek, 92% of recent infections are due to the exploit of weak passwords.

In terms of exploiting weak passwords, the Security Intelligence Report states “This type of attack uses the credentials of the logged-in user to access local or network resources, or else attacks password-protected resources using a built-in list of common or weak passwords.” How is it that weak passwords are afflicting enterprises? Microsoft’s threat encyclopedia entry on Conficker C notes some of the passwords that Conficker uses including: 1234, password, and admin. While Tim Rains noted in a Network World article that some Conficker variants use key loggers, the passwords Conficker is targeting is your typical stupid passwords. Good thing you never use any of those!

But wait, doesn’t everyone use Active Directory with complex password requirements? For many organizations, the answer is probably yes, but having good GPO policies does not guarantee these settings are in place (read What GPO Security? for more insights). Weak password infections from Conficker are just as likely a result of an attack on local administrator accounts. Microsoft recommends in the Security Intelligence Report, “If local passwords are used for some resources in an organization, resource owners should be required or encouraged to use strong passwords for them as well.” Good recommendation, but how realistic is that. Ask yourself some questions:

• Is the password for your local account on you home PC (if you use one) complex?
• When was the last time you changed your password?
• Do you think users logging in with local administrator accounts in the enterprise are any different?
• What about the local administrator account that IT uses?
  • Yeah the one that was imaged 5 years ago and hasn’t been changed since?
  • Is it complex?

It is nice to think that everyone uses domain accounts, but that is not the case (again read What GPO Security? for more insights). Most users want to be secure, but they want computing to be easy more. Why use a complex password that is easy to forget or type when you can create a local account and login with a simple password? Most of us will choose the path of least resistance and complex passwords are more painful than simple ones.

This Conficker research confirms the need for good password security for all accounts including the ones we would like to pretend do not exist. With Arellia Local Security Solution, you can find your local administrator accounts, eliminate unauthorized accounts, and secure the authorized accounts with complex passwords and cycling intervals.

Here in Utah, where Arellia is headquartered, there has been a much publicized data breach of the Utah Department of Health where a server was compromised with 280,000 social security numbers taken and over 500,000 individual’s having less sensitive date compromised. According to the press release, “In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.” Now this article is not here to throw stones at Utah’s Department of Health, but rather an illustration of how a small mistake had serious consequences.

Clearly, there were many controls in place to secure this server, but a failure to implement one control had serious consequences. Let this be a lesson for all of this that we are only as strong as our weakest links. Applying this concept to one of Arellia’s focus of securing administrator rights and we can see where weak links break that model. Many of our customers come to look at privilege management wherein we add privileges to applications that require administrative rights when the end user is running as a standard user. What they often overlook are many of the adjacent security links associated to that initiative including:

• Continuous Discovery of Users with Administrator Rights – You have removed administrator rights from your end users, but how do you know they aren’t creeping back?
• Ongoing Administrator Group Membership Enforcement – How do you plan on removing administrator rights from end users? How do you continue to maintain that configuration?
• Secure Management of Authorized Administrator Accounts –Systems will have a local administrator account that is used by IT? How is the password being managed? Who has access to the password? How is it being cycled? Too often this account and password is known by all of IT and most of the end user community and if not properly complex easy to crack.
• Applications Installed into Users Directory – The standard user can still install applications to the Users directory (such as web browsers) and run portable applications. Did you know that?
• Configuration Security – Your applications and users are secured, but your configuration is insecure. Hackers don’t give you credit for good work, they only target the weak links.

At Arellia our mission is to look at the problems that result in security incidents and address them before they happen: like the idea of regular exercise and good a good diet versus pills and surgeries. This is why we look at user, application, and configuration security together: they are interrelated when it comes to complete security. So what are your weak links and how are you addressing them?

At Arellia, we are frequently asked about password strength and policy recommendations as it relates to password cracking. There are a few considerations around password strength, length, and changes when it comes to establishing a good password policy. Let’s take a look at three common methods of password cracking: brute force, dictionary, and rainbow tables.

With brute force attacks, a password is created and hashed using the same hashing algorithm of the operating system then the hash is compared to the hash for an existing user’s password. A brute force attack will systematically analyze combinations until the right password is found. Let’s look at the following statistics using GRC’s Password Brute Force Calculator:

Short Password with Varying Complexities

Long Password with Varying Complexities

a – Unique characters from each character set: uppercase, lowercase, digit, symbol

b – Possible character combinations based on the character set and length used

c – Time to assess all possible passwords assuming 100 billion guesses per second

d – Time to assess all possible passwords assuming 100 trillion guesses per second

In the calculations above simply adding complexity to an 8-character password will increase the calculation time of the total possible passwords by a multiple of 30,890. Increasing that complex 8-character password to a complex 12-character password would increase the calculation time by another multiple of over 81 million. Clearly, a longer more complex password will take longer to brute force crack (you already knew that).

The crack times measure the total time it would take to assess the total possible passwords, but simple logic would indicate that a password would likely be found in less time, as it is unlikely that the last password combination is your password. So divide the crack time by 4 or 5 for a likely scenario. Most GPU password cracking software can guess a few billion passwords per second meaning the fast crack calculation are a worst-case scenario today. With those points of context, a long, fully complex password of 12 characters or longer is unlikely to be brute force cracked any time soon.

While brute force tools have their limitations, one must consider the other approaches to password cracking and their implications. Dictionary attacks will create passwords and their hashes, which can be indexed for quick look up. Dictionary attacks can be very quick if the hash in question is based on a combination in the dictionary. Often dictionary attacks use common words that can be circumvented by requiring complexity of case, digits, and symbols. With complexity, one would have to have a very large dictionary for all of the combinations. Assuming 12 character passwords and 32 character hashes (with spaces and return characters), you are looking at 46 bytes per combination. Just the lower case combinations would require over 4 Million Terabytes of storage. Keep your passwords long and complex and this technique is unlikely to succeed.

Rainbow tables were created, to balance the time demands of brute force attacks and the storage demands of dictionary attacks. Without going into the gory details, rainbow tables use algorithms that allow a smaller file lookup on the password. Unlike a dictionary attack, where a hash and password combination are simply found, there is some calculation involved. With rainbow tables, SSDs to accelerate file reads, and GPUs for processing speed, there have been examples of extremely fast cracking as seen in this article. The challenge with rainbow tables is that there is still a storage requirement and most tables only address passwords from 8-16 characters (see Ophcrack’s tables for an example). There are multiple techniques to prevent rainbow table based cracking, but again long, complex passwords are one approach.

There are other methods and times to crack passwords will continue to decrease as hardware and software techniques improve. Arellia Local Security Solution can be used to apply and manage unique, complex passwords to that are changed on a sufficiently frequent interval to reduce the risk of compromise.

Arellia Endpoint Security Remediation Suite 7.1 Service Pack 2 Maintenance Pack 1 is now released for all Arellia products: Application Control Solution, Local Security Solution, and Security Analysis Solution.

For additional details, refer to the release notes (requires an Arellia portal login to see the details).

• Application Control Solution 7.1 Service Pack 2 Maintenance Pack 1 Release Notes
• Local Security Solution 7.1 Service Pack 2 Maintenance Pack 1 Release Notes

To receive access to the Arellia Support Portal, following the steps in How to Register with Arellia Support Portal. Note: you will need to have a Windows Live ID.

2012 is a presidential election year in the United States which means debates, commercials, and political conversations are everywhere. 2012 is also a big year for Windows 7 in that many organizations are finally moving away from Windows XP to Windows 7 after many years of preparation. Arellia has seen this migration lead to initiatives on improved desktop security architectures and in many cases removing end users administrator rights. So what does removing Windows 7 administrator rights and politics have in common? More than you think.

Most organizations approach removing administrator rights or privilege management or application whitelisting or desktop lockdown projects simply as a technical problem. Malware, hackers, insider abuse, and cost of support have driven organizations to adopt one of these projects. IT staff then charge into the technical problems of removing the administrator rights and managing privileges. As is often the case, the political ramifications are an afterthought.

Arellia sells products to enable these projects around privileges and application security so why do we care about politics. To be blunt, failure to consider your company politics can lead to a failed project. Let’s take a step back. Windows still dominates the enterprise desktop (despite what the press would make you think) and has done so since the 90s. All of this time, end users have been local administrators with the ability to install and remove software, change configurations, circumvent security controls, and do whatever they want under the banner of “business productivity”. They go home and also have full control over their desktop environment. Now after years (for younger workers a lifetime) of control, they are being asked to lose those rights. Do you think there might be push back? Could this push back turn into a revolt? Will your executives support your initiative if all they hear is the negative?

So what do you do to win this campaign? Here are a few things to consider along with the technical aspects of privilege management:

1. Business Justification
2. Executive Support
3. User Education
4. Balance Approach

You have your reasons to remove administrator rights and lock down the desktops. Whether it is external security threats, insider abuse, cost of supporting administrative users, be prepared to articulate those reasons. There are costs associated to all of those concerns so look at the cost of threats in the past year, the number of helpdesk tickets generated by end users misconfiguring their systems, not mention the costs associated with breaches. Use those quantifiable metrics to support your reasons.

Make sure you have executive support on a decision of this magnitude. Unlike antimalware software whose worst effects are performance, removing administrator rights is an in your face change to end users. Executives need to understand the benefits of your initiative, the impact to users, and be prepared to back IT up in the rollout. Consider and executive e-mail to all users before making any changes so the stage is set.

Along with that executive sponsorship, educate end users. Most won’t like the changes, but they need to be sold on the values too. Nobody likes viruses, helpdesk calls, and negative impacts to their business. Sell them on the virtues of least privilege computing and understand their needs for appropriate policies to enable their ability to work. Consumerization is all the rage in the IT press, but there are still many organizations that need to remind their employees that security trumps all. Do you care if your bank’s employees can do whatever they want if your financial data is lost? Do you care if your government’s workers can install whatever software they want and risk compromising national security? Would you go to a doctor who loses your medical records because they want to control their computers? Employees need to be able to do their jobs – anything else is a bonus.

That said, take the feedback from executives and end users to create privilege management policies that balance security and productivity. Simply removing administrator rights doesn’t work – there are too many limitations. Make sure you enable end users to use applications to do their jobs. More restrictions will equal more IT involvement.

Removing administrator rights and associate projects are achievable. Many organizations are doing it successfully. Arellia Application Control Solution and Local Security Solution can help the technical aspects, but don’t overlook the politics of privilege management.

So you have decided to implement a least privilege model in your client-computing environment and now you ask yourself, “Where do I start?” One could pull the trigger on removing administrator rights and elevating applications as needed, but that would create a wave of helpdesk calls as users are no longer able to do many things that they were once able to do such as install any software they want, change system settings, or use applications that require administrator rights. There are some best practices that will help make this implementation go as smooth as possible:

1. Education
2. Discovery and Planning
3. Testing and Rollout

Education

Do not skip the important step of end-user education. Be aware that positioning this project as “desktop lockdown” or “application control” may come across negatively. Use something user-friendly as “enhanced security desktop” and emphasize the benefits of a more secure and stable environment. Help your end-users buy into the initiative and you will have less resistance.

Discovery and Planning

You will want to identify applications that need elevation. First look at three categories:

1. System Utilities – disk defragmenter, adding printers, etc. Which of these do users need to still access?
2. Software Installers – If an end user needs software, will it be delivered using a software delivery tool? Will the software be available via a centralized location(s)? Be aware that there are still many applications that can still be installed or run as a standard user: read Application Control and Web Browsers and Portable Application Protection.
3. Applications Requiring Administrative Rights – For Windows Vista and 7, this can be discovered by looking at applications that trigger UAC (consent.exe).

Once you have answered these questions and analyzed these results, application elevation policies can be created before removing administrator rights. Depending on your existing software installation approach, you may need to create new processes or locations to allow authorized software to be installed.

Many privilege management tools only deal with rights management, but don’t forget the actually removal of rights. Determine who currently has and doesn’t have administrator rights. There still may be users (most for political reasons) that will want to retain administrator rights. Create policies accordingly.

Testing and Rollout

Test your standard Windows image before implementing a standard user model in your environment. There may be adjustments needed that you didn’t catch in the discovery phase.

Before a widespread deployment, select a group of test users from different departments who can provide feedback. Pay close attention to any tickets from them and have them inform you of applications that need elevation.

Meanwhile, you can have the remaining users have messages informing them that certain applications will no longer be accessible at a certain date and provide a dedicated method to addressing their concerns.

Privilege management can be quickly achieved when done with the right process and tools. Arellia Local Security Solution helps find and remove administrator rights while Arellia Application Control Solution can elevate privileges. Both tools have many other capabilities including administrator user and group security and application whitelisting all of which contribute to a more secure desktop.

With desktop lockdown or application control, there are many decisions that must be made. One potential risk where end users could have more control than is necessary, is via the Microsoft Management Console (MMC). Standard users are able to view and configure several snap-ins, some of which can present a security risk.

Here are just a few of the plug-ins available in MMC in Windows XP and Windows 7 and what the standard user can do:

As you can see, the standard user has access to key system information through MMC despite not being able to change system settings. Some areas of potential exposure include the Event Viewer or Local Users and Groups where a user may want to have better insights about their system in order to access administrative settings.

Almost all of the MMC snap-ins above can also be accessed through the Control Panel or by running  a ‘.msc’ file found in the System32 folder. For most organizations, the standard user does not need access to all of the snap-ins available from the MMC; and therefore MMC can be blocked while allowing the Control Panel accessibility to relevant snap-ins. Arellia Application Control Solution makes it possible to enable just one or several of the MMC snap-ins, while blocking the rest. See this video on details of how this is accomplished.

2011 is quickly fading in the rear view mirror so here’s a brief analysis on Microsoft vulnerabilities\patches and privilege risk for the year. As mentioned in the Introduction on Privilege Exploitation, privilege exploitation is where the malicious software takes advantage of the rights of the logged in user to change the configuration of the local computer.

Here is a summary of privilege exploitation in 2011 and 2010 for comparison:

As you will observe, there was a general improvement in the number of bulletins, vulnerabilities, those with privilege exploitation.

Each bulletin has one or more vulnerabilities that apply to one or more operating systems or applications. Here is a listing of affecting software and the number vulnerabilities with privilege exploitation:

As you can see, Internet Explorer is the top for vulnerabilities with privilege exploitation. Exploits in this case are likely a malicious URL either on a website or in an e-mail that allow the malicious user or software to run commands and calls at the privilege of the running user. If the user is a member of the administrators group, game over.

Of the operating system vulnerabilities with privilege exploitation exposure, here are some of the most frequently affected components (there are many others):

• .NET
• Silverlight
• Windows Media Player \ Center
• OLE

Removing end user administrator rights is not a silver bullet, but it will reduce the risk to malicious software not to mention additional benefits around system stability and support costs. Here is another way to think about these statistics. If you could do one thing to reduce the impact of a car accident by 40%, would you do it? Start buckling those seat belts and start removing end user administrator rights. For more information on the latter, look at Arellia Application Control Solution.

Arellia Endpoint Security Remediation Suite 7.1 Service Pack 2 is now released for all Arellia products: Application Control Solution, Local Security Solution, and Security Analysis Solution.

Be aware that applying Symantec Management Platform (SMP) 7.1 SP2 will cause issues with Tasks in Arellia products. We recommend you install Arellia 7.1 SP2 before or immediately after installing SMP 7.1 SP2.

For additional details, refer to the release notes (requires an Arellia portal login to see the details).

• Application Control Solution 7.1 Service Pack 2 Release Notes
• Local Security Solution 7.1 Service Pack 2 Release Notes
• Security Analysis Solution 7.1 Service Pack 2 Release Notes

To receive access to the Arellia Support Portal, following the steps in How to Register with Arellia Support Portal. Note: you will need to have a Windows Live ID.

In a study by the Ponemon Institute, “The Insecurity of Privileged Users”, the prevalence of privilege abuse was noted. A very interesting point was that over 60 percent of the 5,000 IT operations and security managers accessed data out of curiosity and not because of the job function. The reason why administrators abuse their privileges: because they can.

The world of information security is obsessed by the threat of the malicious outsider: hackers, organized criminals, spammers, etc. Meanwhile, while all eyes focus on the threats outside, insider abuse whether deliberate, inadvertent, or accidental has limited attention.  Now don’t get me wrong, I’m not suggesting we treat all employees as criminals, but organizations need controls need to be in place to keep honest people honest and limiting bad folks from doing damage.

Insider threat is as big and complex as the malware and external threat that garners most of the attention and concern which is why there is no one-size-fits-all solution. At Arellia, we have focused on securing privileged accounts and application rights with our Endpoint Security Remediation Suite. Domain administrator accounts often have security policies to manage the cycling of passwords and password complexity. If an IT administrator leaves the company, disable their domain account and\or remove it from the Domain Administrators group and all is good, right? Unfortunately, we find that nothing is being done about local administrator accounts. Common accounts and passwords prevail and cycling just isn’t done due to lack of solutions. A disabled domain account won’t prevent an IT administrator from logging into a system with a well-known local administrator account.

The reasons to access unauthorized systems or abuse privileged access are simple: valuable data. What does my boss or co-workers earn? Just log into the HR application or file server. Wonder how the company is going to do on the next quarterly earnings report? Just log into the finance systems and take a peek at the revenue calculations for a little stock tip. Want to know what the VP is planning to do with the next layoff? Add a local administrator account with remote access on the next helpdesk call and login when curious. These are just small, but potent abuses compared something even more malicious such as corporate espionage or acts of vengeance.

Don’t think these things are happening at your organization? I have some beach front property in Himalayas to sell you. As the study noted, these abuses are happening. What’s your next step?