Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

No Security (or Management) Controls are Absolute When Users run as Administrators

by Neil MacDonald  |  December 17, 2009  |  4 Comments

I had a discussion with a client this week on their desktop security strategy. They had ruled one vendor out because the vendor wouldn’t guarantee their security agent couldn’t be disabled by end-users running as administrators (ideally, we’d run all users with ‘standard user’ privileges and not with administrative rights, but there are reasons why some organizations continue to provide users with administrative rights).

The vendor had basically said something like “While we make it very difficult for a user to disable our product and we provide options to hide these menu choices and commands from users, if the user is running as administrator we cannot guarantee that the user will not figure out a way to disable our software”.

The vendor was correct. Savvy end-users will search on the Internet for undocumented or hidden registry settings or utilities to disable software. This affects all vendors, not just the ones that answer the RFI/RFP honestly. This is another area where virtualization and introspection techniques offer new and interesting ways of implementing security controls outside of the OS container that the user has administrative rights in. However, these technologies are just emerging and aren’t yet mainstream on servers, let alone enterprise desktops.

In short, there are no absolute security controls when users run as administrators within the same OS container as the security control/agent.


Category: Endpoint Protection Platform Virtualization Security     Tags: , , , , , ,

4 responses so far ↓

  • 1 valentines day gift ideas   December 18, 2009 at 2:13 am

    According to me this concept is basically based on the Administrator and users profile. The access rights of both users and admin should be different in a company ant it is depending on the log in information.

  • 2 Neil MacDonald   December 18, 2009 at 8:18 am

    Ideally – yes. Users are ‘standard users’ and administrators are administrators. Supporting a multi-user, multi-privileged environment wasn’t always the case with Windows so there are still many applications that require administrative access to run. For remote and mobile power users, administrative rights are needed in many cases for self-support – including software and driver installations as well as privileged activities like renewing an IP address at a hotel.

    Windows Vista and Windows 7 help here with User Account Control, but there are limiatations described in detail in this research note.

    Other third party utilities from Altiris, Avecto and BeyondTrust can also help by elevating applications that require administrative access on exception (also referred to as privilege management).

    Our estimates are that, worldwide, 60 percent of enterprise Windows systems have users configured with administrative rights.

  • 3 Tweets that mention No Security (or Management) Controls are Absolute When Users run as Administrators --   December 18, 2009 at 11:34 am

    […] This post was mentioned on Twitter by Greg Young, Security Geek. Security Geek said: No Security (or Management) Controls are Absolute When Users run as Administrators — […]

  • 4 Doing Things Better With Virtualization   December 22, 2009 at 9:49 am

    […] That’s exactly what IBM has done. IBM has the first commercial implementation of a rootkit detection/prevention offering that works from outside of the virtual machine it is protecting and thus can detect rootkits using introspection even if the rootkit is cloaked to detection from anything running in the same OS container. This is quite useful for protecting hosted virtual desktops running at servers (and where users run as administrators, making any security control running in the same container suspect as I talked about here. […]