In general, IT personnel are far more knowledgeable and skilled than end-users when it comes to information security. Consequently, IT personnel prefer to limit what end-users can do on their assigned endpoints by provisioning end-users without administrative privileges. This sounds reasonable: the less users can do to alter their machines, the less likely they are to expose their networks and systems to security breaches. By the way, minimizing dependence on end-users making correct information security decisions is almost always good policy.

Without endpoint administrative privileges, an end-user cannot add or modify files and registry settings in many “sensitive” places. The “Program Files” directory is one of them. This is where software applications are typically installed. Some application installations, such as client security software, must add or modify files in yet more “sensitive” places. In theory, these write-privilege limitations prevent end-users from installing peer-to-peer, recreational, pirated, and other unauthorized software. In reality, however, most such software can be installed elsewhere in the endpoint by these end-users, and run normally.

So, how do end-users circumvent these software installation restrictions? They do little more than just point and click!

After double-clicking on the Limewire set-up executable, for example, the end-user is asked to click “Ok”, “Next”, or “Continue” on several prompt windows. One such prompt window generally presented to the end-user concerns the destination of the installation, which normally defaults to within the “Program Files” directory. However, this prompt usually includes an “Browse” or “Custom” button that allows an end-user to specify a different location. The end-user merely needs to point to a directory within the user directory space such as “Desktop” or “My Documents”, for example. Most undesirable applications will operate fine in these locations. And, for the most part, these applications will run okay even if their executable has been renamed. Such end-users might rename limewire.exe to be winword.exe (wouldn’t interfere with Microsoft Word) to avoid detection, for example.

Some good news on the side, these installations alone cannot inject a rootkit into the host. Bad news, if such software has a Trojan embedded within it, the “bad guys” will have a logical presence within the host from which they might exploit a vulnerability to infest “sensitive” places in the endpoint. But, while this is a threat not to be ignored, the threat of malware (i.e., Trojan) infested end-user installed software installation is not the most immediate risk that requires action from IT personnel. There are far more numerous and impacting security breach reports from peer-to-peer software sharing “sensitive” documents on the host to anyone on the Internet. Additionally, end-users generally fail to keep the software they install up to date with the last security patches provided by the vendors. The SANS Institute reported in November 2007 that hackers are increasingly targeting such client software. So, any application running on a endpoint that interacts with the outside world generally increases the exposure of that endpoint and the organization that hosts the endpoint. Now, outside of Microsoft, Apple, Adobe, who amongst the other software vendors have been targeted enough to motive themselves to invest heavily in hardening their software? Answer: be afraid, be very afraid! This is especially so if endpoints in your organization possess sensitive data or documents that could generate bad press, law suits, and regulatory attention.

Considering the above risks and others, do you know what software is running on your organization’s endpoints? Do you know what software the endpoints run when they are off the enterprise? Please do not rely on firewall, router, and other logs to discover unauthorized client software. These applications are increasingly using common network ports, encryption, and even obfuscation to avoid detection and to ensure privacy.

The bottom line for organizations is that their IT personnel need application control capabilities whether their end-users have endpoint administrative privileges or not. If trade-offs have been accepted allowing end-users to have administrative privileges, then IT application controls must be capable of superseding those privileges. And worth repeating, IT personnel require monitors and controls that provide them operational awareness for endpoints both on and off the enterprise.

Posted: Friday, July 18th, 2008 - Endpoint Security
RSS 2.0 - Comment - Trackback