|Executive Summary: You can limit risks from administrative users. There's no perfect answer, but these strategies can help:
Logging on to a computer as an administrator for everyday use is never a good idea. It won’t be long before the computer slows to a crawl, begins to exhibit strange behavior, or stops working altogether. Sound familiar? But for some users, running as an administrator is unavoidable. One common example is that of field engineers. These users can be a security risk to your entire network and often require additional support to fix problems they cause by making unwanted changes to system configurations. How can you limit the risks these users pose, reduce the amount of support they require, and provide them a stable and reliable system? There may be no perfect answer, but below is a list of possible strategies that we’ll discuss in turn:
- Use desktop virtualization to run an OS under an administrator account in a sandbox environment by using VMware products or Microsoft Virtual PC.
- Run Windows Vista with User Account Control (UAC) enabled.
- Give the user an administrator account, but use Group Policy to restrict access to selected configuration options, and run Microsoft Internet Explorer (IE) and Microsoft Office applications with a restricted access token.
- Re-image machines on an as-required basis.
Using Virtualization to Create a Sandbox Environment
Virtualization provides the user with a stable and secure host system (i.e., the OS on which VMware or another virtualization application is installed) for checking email and working with standard business applications and an OS running in a virtual machine (VM) for performing tasks that require administrator privileges. Users can work with an administrator account on the VM, make as many changes to the system as they need to, and when everything is completed, roll the system back to a known state.
Virtualization solutions provide the ability to seamlessly integrate with the hardware of the host device. For instance, the network card on the guest OS (the OS installed on a VM) can be bridged to the network card on the host to provide transparent access to the physical network as if the two were directly connected. An engineer should be able to install software, connect to other devices on the physical network, troubleshoot connectivity problems, and perform almost any function necessary on the VM as if it were the host machine. USB devices can be connected as if directly to the guest OS, and direct access can also be given to the CD-ROM/DVD drive on the host. Files and folders can be dragged from the host to the guest system, alleviating the need to set up mapped network drives.
Let's look at a scenario involving the previously mentioned field engineer. She needs to join a laptop to a client's Active Directory (AD) domain, modify network adapter settings, and install a piece of software to connect to the client’s PBX to troubleshoot a problem. A standard user in Vista can't complete any of these tasks without elevating privileges, and even if the user could elevate privileges, making such changes on a regular basis could result in no end of headaches for the user and for IT support.
With access to a VM, the engineer can perform these tasks without modifying the configuration of the host laptop. After the VM is joined to the client’s domain, the engineer can install software and hardware, and modify any OS setting as necessary. When the engineer returns to the office, the laptop can rejoin the corporate domain without any problem, nor will there be any problems resulting from the work that was carried out at the client’s site.
For the purposes of running a VM on end users’ machines, you might consider a few options, each with different cost and functionality implications:
VMware Workstation. The most advanced of the VMware products discussed here, VMware Workstation can be used to create and configure VMs and make multiple snapshots. Support for serial and parallel ports is also provided, although limited in the case of the latter.
VMware ACE. VMware ACE lets you create pre-defined VMs, which can be packaged and deployed to end-user workstations to provide secure and isolated environments. For instance, a remote worker could run an ACE package on a personal home computer or laptop with access to the corporate network without compromising security policies. VMs can be managed with VMware ACE Management Server.
VMware Player. VMware Player is a free, stripped-down version of Workstation that lets you run pre-created VMs without the ability to make snapshots or roll back to previous states. None of the advanced configuration settings are available while running a VM using VMware Player.
VMware Server. VMware Server is a free product with many of the same features as VMware Workstation but notably not the ability to create multiple snapshots. However, you can roll back to a previous state, which might be a key factor in choosing between VMware Server and Player, depending on your needs.
Microsoft Virtual PC. Virtual PC is a free product from Microsoft that's similar to VMware Workstation. It doesn’t have the ability to create multiple snapshots, and performance is generally slower than Workstation.
We'll focus on VMware Workstation 6.0 to create and configure new VMs, as it’s the most commonly used solution. The principles are the same if you decide to use VMware Server.
Configure Networking in VMware
When you install VMware, several virtual network adapters are added to the host machine to provide network integration between host and guest. Take a look at the networking properties for the LAN/WAN card on your machine and you’ll see VMware Bridge Protocol installed on the General tab, which Figure 1 shows. After you install the guest OS on a VM, you should install VMware Tools to provide necessary drivers and to improve performance.
- When the VM is powered on, simply select Install VMware Tools from the VM menu and follow the instructions.
- Reboot after the process has finished.
The two most useful options in VMware for configuring network integration are bridged and host-only. Bridged networking allows the guest to appear as an additional machine on the same physical network to which the host is connected. Host-only networking creates a VPN between the host and guest with the guest having no access to physical machines that are connected to the same network as the host. Host-only networking can be useful for isolated testing where there might be some risk to the physical network, but for our purposes, we want bridged networking. To bridge the network card on the guest to the host machine’s network card, follow these steps:
- Highlight the VM in the VMware Sidebar or select the VM’s tab, then choose Settings from the VM menu.
- On the Hardware tab in the Virtual Machine Settings dialog box, which Figure 2 shows, select Ethernet under Device. Ensure that Connect at power on is selected. Select Bridged under Network connection, and click OK.
- Power on the VM and configure the network card of the guest as you would the card of any physical machine connected to the network. Most likely you’ll configure the guest to use DHCP, and you should assign it an IP address.
Configuring Snapshots in VMware
The ability to roll back to a known state is important if changes have made the guest VM unusable, if you need to remove any security vulnerabilities introduced from connecting to a customer’s network, or simply to let the user work with a clean configuration. The ability to roll back to a previous state is provided by Snapshots in VMware.
After the guest system is configured as needed, create a snapshot by right-clicking the VM in the Sidebar and selecting Take Snapshot from the menu. Give the snapshot a name (e.g., Base) and a description, if necessary, then click OK. VMware will take a snapshot of the VM’s current state in the background. You can then make changes to the VM. If you want to roll back to the snapshot you’ve just created, right-click the VM in the Sidebar and select Revert to Snapshot from the menu. You will then be presented with the option to roll back to the most recent snapshot created.
Disadvantages of Virtualization
Virtualization might seem like a great solution to the problem of letting a user run as an administrator while restricting the amount of permanent damage he or she can create. However, virtualization does have drawbacks.
VMware Workstation isn't free. However, it provides the most functionality among the currently available products. Virtual PC and VMware Server and Player are free and can run VMs on users’ machines.
A license is required to run an additional copy of Windows on a VM. An exception is Windows Vista Enterprise Edition, available to Volume License customers, which lets you run up to four instances of Vista (on the same machine only) using any virtualization product.
Extra hardware resources might be required to run a VM. I’d suggest an additional 512MB of available RAM per VM for acceptable performance. Don’t forget about the extra disk space as well, to store the file that contains the virtual drive for each VM.
Keeping VMs updated (e.g., with patches and antivirus) can be a challenge. Don’t forget that VMs might not be powered on very often, and when they are, automatic updating systems need time to catch up, leaving the system temporarily exposed. One potential solution is to leave VMs running invisibly in the background. Whether this is possible depends on the virtualization product you choose and on your available hardware.
VMware ACE provides a network quarantine feature that enables administrators to restrict access to the network, based on the VM’s build version. You still need to use traditional update services such as Windows Server Update Services (WSUS) or Microsoft Systems Management Server (SMS) in conjunction with ACE.
Vista and UAC
If UAC benefits anyone, it’s home users who typically would have had little choice but to run as an administrator pre-Vista. UAC provides significant advantages in the area of security, even if users might find UAC somewhat annoying. UAC is designed to prevent unwanted changes that could prove to be a security risk and to help enforce the principle of least privilege. For more information about least privilege, see "Get the Most from Least Privilege" (http://securityprovip.com/article/articleID/47174/47174.html). It doesn’t give the same isolation that a VM provides. Although UAC is a welcome improvement in Vista, it potentially allows users to make changes to their machines that could render them unusable or infect them with a virus or malware.
In Vista, when UAC Admin Approval Mode is enabled, an administrator has to approve all system-level changes either by giving consent or by providing appropriate credentials. If this setting is disabled, UAC is effectively switched off for administrative users.
You can configure UAC consent or credential confirmation by using Group Policy. In the Group Policy editor, go to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. Select Behavior of the elevation prompt for administrators in Admin Approval Mode. Two settings, Prompt for consent and Prompt for credentials, determine whether an administrator needs to enter a username and password or simply confirm whether the process elevation should be allowed. Which setting you choose will probably be determined by how often elevation is likely to be needed and the competency and trustworthiness of the user.
It's also possible to pre-approve a set of selected applications to run with elevated privileges by using public key infrastructure (PKI) digital certificate validation. If this UAC feature is enabled, you might consider changing the Behavior of the elevation prompt for administrators in Admin Approval Mode setting to Elevate without prompting because only applications that can be validated as trusted will be allowed to run.
File and registry virtualization, which is part of UAC, might allow legacy applications to run as a standard user without the need for any workarounds. If that fails, you might resolve such compatibility problems by using the Microsoft Application Compatibility Toolkit to deploy application compatibility shims. For more information about how UAC works, see “ Windows Vista’s Take on Least Privilege” (http://securityprovip.com/article/articleID/93300/93300.html).
Using an Administrator Account with Restrictions
If using VMware or a similar product isn’t possible or desirable, you can grant the user administrator privileges and apply some restrictions to try to limit the damage. In the case of a field engineer, you probably won’t be able to apply many restrictions without crippling the engineer’s ability to work. You don’t want to receive calls from an engineer at a client site complaining about not being able to perform a certain task because of restrictions the IT department has imposed. So what can you do? Here are some suggestions.
- Use Group Policy to set the startup type for each service. For instance, configure a Group Policy Object (GPO) that sets the startup type for all crucial services to Automatic. Then if a user or malware stops a particular service, Group Policy processing should ensure the service is re-enabled.
- Use software restriction policies to run applications with a restricted access token. Running applications such as IE and Microsoft Office Outlook as an administrator is the best way to open up your machine to infection by a virus or other problem. You can log on as an administrator but run selected applications with fewer privileges by using software restriction policies, greatly reducing the chances of infection or unwanted changes. For more information about software restriction policies, see “Stay Safer with Software Restriction Policies” (http://securityprovip.com/article/articleID/94876/94876.html).
- Use Group Policy to restrict access to Microsoft Management Console (MMC), regedit, and Task Manager. Be aware that if these applications aren’t allowed to run, the user will be locked out from changing many configuration settings. However, a savvy user will be able to download and install another registry editing tool to circumvent this restriction.
- Make sure System Restore is enabled and that the user knows how to use it should a rollback be required.
- If a user needs to install software but not change the system configuration in general, it might be possible to use Group Policy to configure a comprehensive lockdown of the machine and let the user run as an administrator.
You could also consider giving the user two accounts: one with administrator privileges and one with standard user privileges. However, don’t expect the user to log on with the standard user account for everyday activities if you also supply an administrator account. Chances are the user will log on as an administrator all the time to avoid switching between the two accounts.
The final option is to give users complete access to the system but re-image the machine on an as-required basis. Not all organizations have the means to do this, but for those that can, re-imaging might be a viable option. From a security standpoint there is little protection for these users. When the machine has a problem, whether it be security related or not, re-image the machine.
However, re-imaging isn't always as simple as it sounds. Often users with unrestricted access to their machines store data in various places on the hard drive. Even if a machine has a partition for system files and one for data, field engineers or other users might use the system drive to store data about clients, make copies of CD-ROMs, and keep their wedding photographs. Before re-imaging, you need to make sure that all this data is backed up. The real problem is not backing up this data but identifying what data is where. Don’t expect the user to know the answer to this question.
The Preferred Solution
Granting users administrator access to their workstations creates an unavoidable minefield of problems for which there is no ideal solution. You can only limit the risks, not eradicate them. My preferred solution for providing flexibility to users, while maintaining security and supportability for critical line-of-business applications, is to utilize virtualization on the desktop. In large corporate environments, VMware ACE can be used to deliver and maintain security for pre-packaged VMs. Windows Vista Enterprise Edition also provides advances in terms of licensing, where previously it might have been cost prohibitive to run more than one Windows OS per machine.
Virtualization provides a mature solution with two (or more) clear layers of operation where differing policies can be applied. The other solutions provide only a limited implementation of least privilege or have shortcomings that make them less than ideal. Your final decision will depend upon what kind of changes users need to make to their systems and how often.