Gartner Blog Network

No Security (or Management) Controls are Absolute When Users run as Administrators

by Neil MacDonald  |  December 17, 2009  |  4 Comments

I had a discussion with a client this week on their desktop security strategy. They had ruled one vendor out because the vendor wouldn’t guarantee their security agent couldn’t be disabled by end-users running as administrators (ideally, we’d run all users with ‘standard user’ privileges and not with administrative rights, but there are reasons why some organizations continue to provide users with administrative rights).

The vendor had basically said something like “While we make it very difficult for a user to disable our product and we provide options to hide these menu choices and commands from users, if the user is running as administrator we cannot guarantee that the user will not figure out a way to disable our software”.

The vendor was correct. Savvy end-users will search on the Internet for undocumented or hidden registry settings or utilities to disable software. This affects all vendors, not just the ones that answer the RFI/RFP honestly. This is another area where virtualization and introspection techniques offer new and interesting ways of implementing security controls outside of the OS container that the user has administrative rights in. However, these technologies are just emerging and aren’t yet mainstream on servers, let alone enterprise desktops.

In short, there are no absolute security controls when users run as administrators within the same OS container as the security control/agent.

Category: endpoint-protection-platform  virtualization-security  

Tags: best-practices  endpoint-protection-platform  information-security  lockdown  virtualization  virtualization-security  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on No Security (or Management) Controls are Absolute When Users run as Administrators

  1. According to me this concept is basically based on the Administrator and users profile. The access rights of both users and admin should be different in a company ant it is depending on the log in information.

  2. Neil MacDonald says:

    Ideally – yes. Users are ‘standard users’ and administrators are administrators. Supporting a multi-user, multi-privileged environment wasn’t always the case with Windows so there are still many applications that require administrative access to run. For remote and mobile power users, administrative rights are needed in many cases for self-support – including software and driver installations as well as privileged activities like renewing an IP address at a hotel.

    Windows Vista and Windows 7 help here with User Account Control, but there are limiatations described in detail in this research note.

    Other third party utilities from Altiris, Avecto and BeyondTrust can also help by elevating applications that require administrative access on exception (also referred to as privilege management).

    Our estimates are that, worldwide, 60 percent of enterprise Windows systems have users configured with administrative rights.

  3. […] This post was mentioned on Twitter by Greg Young, Security Geek. Security Geek said: No Security (or Management) Controls are Absolute When Users run as Administrators — […]

  4. […] That’s exactly what IBM has done. IBM has the first commercial implementation of a rootkit detection/prevention offering that works from outside of the virtual machine it is protecting and thus can detect rootkits using introspection even if the rootkit is cloaked to detection from anything running in the same OS container. This is quite useful for protecting hosted virtual desktops running at servers (and where users run as administrators, making any security control running in the same container suspect as I talked about here. […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.