Windows Security Best Practices

What you and your company should know about account rights!

Administrative Groups and Accounts are for Administrative purposes, such as installing software, making system wide changes, upgrades, and other maintenance tasks that require higher privileges.

Microsoft knows this to be true also. A useful idea/tool is the Drop-My-Rights shortcut maker. This is also a good article to read.

User Groups and User Rights

Giving Users Administrator rights is a death sentence

Improper User rights are one of the biggest security holes in 90% of all the LAN’s we've been called in to audit. From talking to family and friends in the IT field we can also see the same results. Users are allowed to be Administrators of their machines when they should not be. Microsoft's default behaviour is to add the user that set the PC up into the admin's group automatically without question. This should not be so, but it is. The administrator account and group are there for administration purposes only, not for day to day activities.

A virus or any other program for that matter, runs in the context of the user that launched that program, so if your users are logged in as Admin's of their machines, that means a virus or any other program also run's with those privileges.

The IloveYou virus (aka LoveBug, or LoveLetter etc...) came out in 2000, , it was one of the most devastating viri that had circulated in years (well back then). Users and Corporations that followed best practices were hit much less than those that failed to. More recently MyDoom, and Sobig are also viri that are mitigated if users are placed in the group labelled "Users" or "Guests" groups. Again, Administrative accounts and Groups are for Administration only not for day to day activities

Spy-ware and Mal-ware can also sometimes be mitigated if users are running in the lower privileged groups such as the Users or Guests Groups. ActiveX in Microsoft Internet Explorer is a whole other security risk that we will address on a separate page.

This is a great article discussing the up comming full release of IE7, it mentions things like lowering your privileges to help mitigate, as well as M$ turning off certain ActiveX controls. Page 1 and Page 2

Viri and Spy-ware aren't the only threats to your user and PC's

Yes, long before viri were so efficient, there were users, and users still are a danger to themselves and others, especially if they have even a rudimentary knowledge of computers. If your PC's have the same local Administrator password, with your users being Admin's, the local admin password is as good as theirs already. There are plenty of tools out today that allow you to dump the SAM database of the local machine and get any stored or cached accounts on the PC. Worse yet, if your users belong to a domain group, and that domain group is already added to the admin's group, then each user in the domain group is effectively an administrator of ALL machines that include their group in the admin's group. Users could dump other user's SAM databases, or connect to their PC's using the management console or via regedit and do basically anything they want!!

Users can be dangerous, devious, and down right nasty!

If a user has Admin privileges, they can install key-logging software, and Fake Gina's to grab the Domain Admin's Password! There are clever users out-there... by installing a Fake-Gina or key-logger, all one has to do is get an admin to type their password on the keyboard. It's easy to get an admin to logon your machine and see if he/she can tell what's wrong with it... when in fact there is nothing wrong with the PC, you just got one of the admin’s to give you the password they use, because you captured it using a key logger. The pass is plain-text no need to crack, so now the user that "ONLY" had local admin right's likely has Domain Admin rights now! Good Job!

In addition to key loggers there are many unapproved programs that IT Admin’s would not like to be in their users PC's such as P2P programs like Napster, Kazaa or the hundreds of their ilk. Many corporations have a standard PC build image they'd like to maintain, and giving users Admin rights is a great way to foul that up.

Patching and Scanning

In this day and age, you must keep up to date with the latest hot fixes and patches. This should also go without saying.

It is staggering how many organizations and people at large do not keep their systems anywhere near patched and updated enough. Windows systems are major target, and an easy one at that. Microsoft has made the claim that hackers and virus writers are reversing the patches that Microsoft releases so they can spot an exploit and take advantage of unpatched systems. While it is safe to assume this is and has been happening, Microsoft claims that 99% of viri and exploits for software like IIS are being written using these methods.

We here are Xinn.org aren't the only ones advocating lower privileges, it's been done for years, however in recent months IT personnel are trying to drive the point home. Recent articles in Eweek: Part1 Part2

It's also sad to see a list as long as this for programs that Microsoft is aware of, that do not run correctly unless you have administrator rights. Even their OWN software!! Microsoft Knowledge Base Article