The Principle of Enforcing Least Privilege (Part 2)
In Part 1 of this blog series, we introduced the Principle of Least Privilege (POLP) and how it is similar to any other set of standard operating procedures that businesses adopt and utilize every day. The PoLP was developed more than 30 years ago by the US Department of Defense and required that each subject in a system be granted the most restrictive set of privileges needed for the performance of authorized tasks.
But that doesn’t mean that the goal of the PoLP is to restrict admin rights. The goal is to determine and allocate the appropriate rights that every standard user requires to effectively do his or her job. Just as users don’t always have physical access to the entire corporate facility, users don’t get virtual access to the entire digital desktop. So when it comes to security, hackers are prevented from moving laterally throughout the organization when using a single compromised account.
The PoLP is About More Than Just Security
Enforcing the PoLP should be an integral part of any enterprise desktop security plan. In part 1 of this series, we discussed how admin rights are not required for application installation with PolicyPak Least Privilege Manager. Users need to be able to do more than just run applications, especially on mobile devices. The PoLP expands into multiple aspects of the standard user desktop beyond just application installation, including:
- Allowing certain line of business (LOB) applications that require admin rights to run
- Enabling users to uninstall applications
- Pausing the perpetual UAC prompts that often aggravate users and hinder application functionality
- Allowing users to install printers, especially mobile users who need to install a home printer, or a third party printer on the road
- Offering periodic access to system admin tools such as Device Manager, Disk Cleanup or Optimize Drive for basic maintenance and optimization
Full access to these privileged components can be provided by assigning local admin rights, but you also don’t want to provide unfettered access to all critical functions, including Windows Defender Firewall, Advanced Recovery Tools and User Accounts, because this exposes the device to serious vulnerabilities, compromising security for both the device, and the enterprise.
Enforcing PoLP Can Reduce Helpdesk Calls
Restricting access for your users not only reduces the attack surface of external threats, but reduces support costs as well. A simple mouse click concerning a system file, security setting or registry key can jeopardize functionality, initiating a helpdesk call that not only costs money, but puts the operations of that user on hold.
Auditing and Compliance
Compliance regulations such as HIPAA enforce the separation of privileges. Access to applications and patient data are separated and assigned by roles. HIPAA, PCI and other compliance regulation guidelines are adamant about protecting personal data through the implementation of technical controls. How those controls are defined is up to the customer, as long as they exemplify a duty of care performed by the organization. Monitoring and auditing is also required so that organizations can track user access and actions.
But, when the system is designed around the Principle of Least Privilege, the scope of an audit is significantly reduced. When everyone has admin rights, tracking is overwhelming, and what’s more, users with admin rights can subvert or delete logging information.
PolicyPak Least Privilege Manager Provides the Granular Control You Need
The enforcement of PoLP across your user environment requires a degree of control that Microsoft doesn’t offer. However, PolicyPak Least Privilege Manager does provide that granular ability so that you don’t have to give users unabated local admin rights. It gives you, the administrator, the power to elevate required applications, bypass UAC prompts, and grant access to the control panel applets that you stipulate. It does this while also blocking malicious malware and other threats, and providing a simple guided interface that allows you to create policy settings and deploy them using Group Policy, SCCM or PolicyPak Cloud. You can see a video demonstration of PolicyPak’s LPM here.
With PolicyPak Least Privilege Manager, you can ensure that applications and scripts, not your users, maintain the elevated privileges required to function correctly. Unexpected UAC prompts are avoided by ensuring that all child processes within an application operate with their necessary integrity levels. It lets you pick and choose which system tools and components your standard users can access so that they can install printers, manage their network connections, and perform basic desktop maintenance tasks using the system tools and control panel applets that you sanction to users. There are no longer any good reasons to justify the legacy and unsafe practice of allowing local admin rights for standard users.