|The Best Tool for the Job when the Job does
Lieberman, CEO Lieberman
Recently we received an inquiry from a major customer that described a
scenario where they wanted their end-users to be able to run arbitrary
(from a controlled list) programs as an administrator without the need
for administrator credential disclosure.
I thought users did not
need administrator access anymore… What made this call so
interesting is for the past 5 years, we and other software
manufacturers have been modifying our products to eliminate the
requirement for administrator credentials to run our applications. From
our perspective, we have seen very little need for end-users to ever
have access to administrator accounts for their local machines except
in emergency situations (i.e. safe-mode repairs).
More than just
applications… In doing further research we discovered that
the core problem was not only applications, but that they needed users
to do things like: change the clock time, change the IP address,
install device drivers, and other day-to-day things that require
administrator privileges in Windows XP. Thinking through the
requirements, it occurred to me that this customer’s needs were
primarily the result of the IT department being overwhelmed with
support costs caused by their use of Windows XP.
The plot thickens…
When I asked what platform the client was running, they said they were
moving over to Windows 7. Fortunately in Windows 7, all of the
day-to-day configuration and installation tasks that previously
required administrator access in Windows XP are now user level
privileges that no longer need an admin account. Going further, just
about all applications written or revised over the past 5 years also no
longer require administrator privileges.
One recurring theme I have been pushing to our enterprise customers is
to upgrade to Vista or Windows 7 because of its superior architecture
and vastly improved security. Strangely enough, the improved security
means that users no longer need administrator accounts, and in many
cases, anti-virus software is no longer absolutely required (you have
to have protection software installed in Windows XP).
So where are we?
In the case of the client who wanted to provide escalation of users to
an administrator using a third party add-on, I am not sure why they
would want or need this capability. My best guess is that they are not
familiar with the evolution of software security over the past five
years, nor are they familiar with the improved security and lower IT
TCO of the operating system they are migrating to.
When the unnamed client above deploys Windows 7, their clients will
stop calling the IT help desk to do the routine administrator-only
account tasks, and they will no longer need to worry about applications
that run as administrator. Yes, Microsoft fixed this shortcoming in
Legacy Product Vendors: A
very fine business for XP users... For the vendor that
makes transparent user escalation software, there is still a market for
customers that continue to use XP. This is the same market that will
continue to reap vast rewards for ISVs to provide them with mandatory
anti-virus and anti-malware solutions. For those organizations that
make the leap to Windows 7, they will find a simpler, more secure, and
lower cost platform that no longer needs add-ons to cover the mistakes
and limitations of older operating systems.
A little plug for our
solutions! You still need to randomize those common
administrator accounts in Windows 7 and provide appropriate delegated
access to those that need it in emergencies. Even in Windows 7 and
Vista, you still need our products to manage privileged identities.
However, users will rarely need to access their local administrator
account on these new and more secure platforms.
What do you think? Feel free to write me directly: Phil@liebsoft.com
Tip of the Month
Enterprise Random Password
Manager: Recovering Local Passwords
Recovering your local account passwords with the ERPM/RPM Software
Development Kit takes only a few simple steps. See how to do it in
under three minutes in this new webinar.
Avenue of the Stars
Angeles, CA 90067
- Oracle Partner Video
Philip Lieberman Discusses how Lieberman Software and Oracle are Working Together to
Secure Large Enterprise Environments in this 2:44 video.
- We have
implemented a number of Technology Integrations over the past few
months. Want to know more? Visit our Technology
Launches / Podcasts
- Whitepaper: Who Holds the Keys to Your IT
Kingdom? This guide examines four key steps necessary to
secure an organization's privileged identities. It describes basic,
manual and ad-hoc processes that can improve control over privileged
access along with automated alternatives to further reduce the risks of
data breaches and operational disruptions while improving staff
efficiency and management oversight.
/ Press / Analysts
Did you know? You can now follow us
us at the RSA Conference
March 1-5 at Moscone Center in San Francisco, CA. Stop by our booth #
1033. Use the following code to register
for a complimentary Expo Only Pass:
- Visit us at the Microsoft Management
Summit: Las Vegas, NV. April 19-23, 2010
- Network World, February 2010: Credit card data
security: Who's responsible? In this article, Philip
Lieberman argues that last year's data breach at Heartland was less the
fault of the company's, and more the result of the lack of smart card
technology that credit card issuers refuse to issue in the United
Magazine, February 2010: Microsoft Reports Bug
in Web Security Protocols. "This type of bug/limitation is not
particularly surprising given that this type of exploit requires that a
hacker have a very high technical capability as well as the ability to
tap into secure network sessions," Lieberman said. "It is an
interesting technical exploit, but not particularly likely."
Reading, February 2010: Database
Account-Provisioning Errors A Major Cause Of Breaches. "They
have to ask themselves the question, 'Where do we have accounts? Tell
me all of the places where we have accounts and tell me all the things
they use these accounts for?'" says Phil Lieberman of Lieberman
Software, which specializes in privileged user management.