I had a discussion with a client this week on their desktop security strategy. They had ruled one vendor out because the vendor wouldn’t guarantee their security agent couldn’t be disabled by end-users running as administrators (ideally, we’d run all users with ‘standard user’ privileges and not with administrative rights, but there are reasons why some organizations continue to provide users with administrative rights).
The vendor had basically said something like “While we make it very difficult for a user to disable our product and we provide options to hide these menu choices and commands from users, if the user is running as administrator we cannot guarantee that the user will not figure out a way to disable our software”.
The vendor was correct. Savvy end-users will search on the Internet for undocumented or hidden registry settings or utilities to disable software. This affects all vendors, not just the ones that answer the RFI/RFP honestly. This is another area where virtualization and introspection techniques offer new and interesting ways of implementing security controls outside of the OS container that the user has administrative rights in. However, these technologies are just emerging and aren’t yet mainstream on servers, let alone enterprise desktops.
In short, there are no absolute security controls when users run as administrators within the same OS container as the security control/agent.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.