I had a discussion with a client this week on their desktop security strategy. They had ruled one vendor out because the vendor wouldn’t guarantee their security agent couldn’t be disabled by end-users running as administrators (ideally, we’d run all users with ‘standard user’ privileges and not with administrative rights, but there are reasons why some organizations continue to provide users with administrative rights).
The vendor had basically said something like “While we make it very difficult for a user to disable our product and we provide options to hide these menu choices and commands from users, if the user is running as administrator we cannot guarantee that the user will not figure out a way to disable our software”.
The vendor was correct. Savvy end-users will search on the Internet for undocumented or hidden registry settings or utilities to disable software. This affects all vendors, not just the ones that answer the RFI/RFP honestly. This is another area where virtualization and introspection techniques offer new and interesting ways of implementing security controls outside of the OS container that the user has administrative rights in. However, these technologies are just emerging and aren’t yet mainstream on servers, let alone enterprise desktops.
In short, there are no absolute security controls when users run as administrators within the same OS container as the security control/agent.