Removing Admin Rights Key to Stopping Microsoft Vulnerabilities

By | Managed Services News

Mar 24

Most organizations do not have the staff or experience to remove administrative rights.

A record number of Microsoft vulnerabilities were discovered last year and most could have been mitigated by removing administrative rights.

That’s according to BeyondTrust’s new Microsoft Vulnerabilities Report, which includes an annual breakdown of security vulnerabilities facing organizations today, as well as a five-year trends analysis aimed at better equipping organizations to increase their IT security, and keep networks and systems safe.

Morey Haber, BeyondTrust‘s CTO and CISO, tells us it’s a safe assessment that most organizations do not have the staff or experience to remove administrative rights, implement least privilege and report on risks accordingly.

BeyondTrust's Morey Haber

BeyondTrust’s Morey Haber

“In general, most businesses lack the IT/IS staff to get all of their risks under control, period,” he said. “The report highlights the benefits of when administrative rights can be removed and if a business cannot do it themselves, leveraging an MSSP with experience across multiple organizations provides a robust strategy to realizing the benefits highlighted in the report.”

Now in its seventh edition, this year’s report identified the following highlights:

  • In 2019, a record-high 858 Microsoft vulnerabilities was discovered.
  • The number of reported vulnerabilities has risen 64% in the last five years (2015-2019).
  • Removing administrative rights from endpoints would mitigate 77% of all critical Microsoft vulnerabilities in 2019.
  • All critical vulnerabilities in Internet Explorer and Microsoft Edge would have been mitigated by removing administrative rights.
  • Eighty percent of critical vulnerabilities affecting Windows 7, 8.1 and 10, and Windows Servers would have been mitigated by removing administrative rights.

Further analysis shows on average over the last five years, 83% of all critical vulnerabilities published by Microsoft could have been mitigated by security teams removing administrative rights from users, according to the report.

“Most organizations are not removing administrative rights due to FUD (fear, uncertainty and doubt),” Haber said. “They are under the impression everything will break and [the] end user will revolt if they do. In addition, they may be unaware of the security benefits they gain if they do. So most organizations continue to make the same mistakes they have done in the past and even follow obsolete security guidance of providing users two accounts: one as a standard user and one as a local administrator. The truth is, there are tools to solve this problem – even within the native OS – that make the removal of administrative rights possible. IT/IS teams just need to learn how to do it safely and without impacting productivity.”

Removing administrative rights is a top priority, and even analyst firms like Gartner have been recommending privileged access management as a CISO top priority, he said. It is up to the business to embrace the concepts, and implement technology and procedures to overcome the challenges. Therefore, it is not a matter of priority, but rather just getting it done, Haber added.

“Threat actors are always searching for the easiest method to exploit a resource,” Haber said. “The vulnerabilities themselves may be trivial, but if a threat actor can gain administrative rights through exploit code, phishing or even poor credential management, they will compromise an asset. Therefore, it is in the hacker’s best interest to find any method possible to hack a system and then leverage credentials to continue their activity.”

There has been a slight decrease in the number of vulnerabilities that can be mitigated through the removal of administrative rights, he said. In addition, key applications also are highlighted and prove that if they are not executed with administrative rights, document vulnerabilities also are mitigated. This is yet another reason people should not …

About the Author