To prove to everyone that removing admin rights from end users is the best choice you can make, I thought I would share my personal story on how I got into this business. I haven’t been using admin rights on my own computer since 2002 even if I could. I run my own environment and company so nothing prevents me from doing it – except wisdom and a bit of laziness I would say. On the other hand, it would be very hypocritical of me not to practice what I preach to the security community.
As I said, it all started in 2002 when I had my family computer infiltrated by Smiley-figures one morning. I went to our computer that I shared with the person I was living with at that time and opened my Outlook only to be faced with these yellow Smiley’s jumping all over my desktop. I asked my roommate what they were and she said it was such fun to start the morning with a few smiles. I instantly took measures to prevent it by removing admin rights from both of us and told her that from now on she installs stuff only to her profile not to all users. In a way, you could say that the first driving force for me to ditch admin rights was security based.
Trust me, Whitelisting is the easy option.
Sami Laiho, Microsoft MVP
The other reason that kept me away from admin rights was totally unrelated to security. At that time, I was a normal Windows user who believed that Windows ran a lot better if you just reinstall it every now and again. For me that was once every 6 to 12 months. Now what totally amazed me was the fact that this machine that we used the most but didn’t have admin rights, it just kept running and running. In fact, I reinstalled it, while still being happy with the performance,
in January 2007 because of a physical hard disk failure. Therefore, I say that the decision to keep away from admin rights has never been security based for me but based solely on the fact that I’m just way too lazy to be an admin. I skipped 5-10 reinstalls on that machine and I don’t like reinstalling or any other sort of extra work.
Nowadays I do like the fact that I am security aware and that I can block more than 85% of all threats out there in my environments but just as important is the fact that running as a non-admin prevents you from writing trash on your own computer and its registry. Without admin rights you have better performing computers with a longer lifetime.
In 2005 I went to a security conference in Orlando. Someone speaking there asked the 1200 people in the audience if there was really anyone who didn’t use admin rights for end users – I was the only one who raised my hand. Trust me I’ve had my downs on being the only believer, along with Aaron Margosis from Microsoft of course. Luckily in the past decade things have changed and now I have more people who share my opinions. Though even today when you create a new user in Windows it is an admin by default. In Windows 10 there is a small win forus as the new “Child accounts” are now limited users – not perfect but an advancement I would say!
The place we were at was called Buena Vista to be exact. I was sure we were lured into the place just to hear
the news during the conference that the name of the new Windows had just been finalized – it would be called Vista. At that time, I of course had really no idea how “Buena” Vista would be. Vista did however bring one feature that has made my life so much easier – UAC (User Account Control). That is probably one of the only few things I still thank Vista for. With UAC, I could now easily use a limited account and just be asked for elevation to another user when needed. This is why I always called UAC the “Automatic RunAs”. UAC is very important for security for admins on servers for example but for limited users it’s just handy – not a security feature really as they have no admin rights to protect from.
In 2002 something else happened that had made my life a lot easier. That year I deployed the first whitelisting solution to a customer environment with around 35000 computers. Deploying whitelisting is the best idea for any company but it is “easy” only after removing admin rights. When you don’t have admin rights you can create whitelists of containers rather than items. So instead of 200 lines listing apps that are allowed you list just “C:\Program Files\” and prevent anyone from adding apps to the folder. The environment is still using whitelisting as are most of my other customers nowadays as well. When people ask me how horrible it is to add every new app to the whitelist I tell them about the containers and explain the other option – Black- Listing or catching the bad guys instead – around 300000 of them, every day. Trust me, Whitelisting is the easy option.
My previous boss once gave me the best credit I’ve had. He was showing the new CTO around the company and asked me to come along as I had developed most of their systems. When he mentioned that they were using whitelisting the future CTO panicked and said: “That’s so much extra work that I believe we should remove it!”. My boss asked him
to follow and took him to the room that had the monitor that showed all active and previous alerts from our Anti-Virus. He then asked: “What do think about the Anti-virus of our company?”. The future CTO replied: “What do you mean? There’s nothing on the screen”. My boss smiled and replied: “Exactly! All the minutes we lose on administering whitelisting we save as hours and days on not taking care of the Anti-Virus alerts”.
Stay limited – stay secure
Denna artikel är hämtad ur vår kundtidning Inuit forum som du kan ladda ner här.
Gästbloggare: Sami har varit en MVP Windows Expert - IT Pro sedan 2011 och är en del av Microsoft STEP community. Sami Laiho har också varit en Microsoft Certified Trainer i över 15 år. Samis talarsessioner bedömdes som de bästa sessionerna i fleraTechEds runtom i världen.