I am from Intel IT Automation. I’ve been involved with server operations for quite a while now and for those of you with a background in Linux, granting super user (or administrator) privileges to a non-privileged account is not a new concept. Linux (not excluding UN*X) variants, have long implement “sudo” to granularly grant root access for specific tasks to specific users. Many Linux based datacenters employ this form of privilege management as opposed to granting full on root access. This is true for both system and application administrators alike.
For a very long time this has not been the case for other mainstream enterprise operating systems. Granularity of control was not there. As a consequence, many IT organizations opt to grant full administrative privileges to individual servers as needed. Side effects of such management include loss of accountability, tracking of changes and not to mention exposure to Intellectual Property (IP) risks. For example: As the server administrator, with full privileges, I can theoretically access any file or database which resides on the system making enforcing IP guidelines extremely difficult if not impossible. We are then left relying on the he “Honor-System” until something goes wrong. That’s like giving the cable technician the keys to your home just because you don’t want to wait around from 8am-5pm for them to show up. I don’t know of anyone who would do that. However, would you give your keys to your neighbor, to feed the cats, while you are on vacation? What if they forgot to lock the front door? Not a malicious act but could have bad outcome. I give that analogy because human nature wants to trust familiar people. We fail to recognize threats within non-malicious scenarios. Many people do not take into consideration that malicious applications can use system vulnerabilities to gain access to systems assuming innocent user accounts. If those accounts happen to have full admin privileges without any roadblocks, then so do the applications.
Third party vendor solutions have matured to a point where there are multiple enterprise solutions which provide what’s known as “Least Privilege Management”. Least privilege management does to application control what the Firewall does for network traffic. User Access Control (UAC), the most basic form, was introduced in a few operating systems over the past few years. It requires one to confirm core system changes with an administrative password, thus preventing unintentional changes by the administrator. Today security conscious fortune 500 companies have spurred a new security industry boom, inspired by least privilege management. Many third-party solutions today, incorporate UAC policies, where one can specify which applications can be run by which groups of users (including command line options allowed), provide logging and auditing mechanisms as well as an ability to turn the report into a policy for fast turnaround, making policy creation relatively painless and non-intrusive.
To sweeten the prospect of securing our systems, Gartner (in “Making the Most of Windows 7 Security”, Dan Blum, August 2010) has correlated reduced management costs of locked down systems. Obviously, in the short term there will be some getting used to this new mode of administration and I expect a small increase of overhead, so it may not seem cost effective at first. However eventually users will get used to the mode of operation as they did to firewalls. The added security and locked down features will eventually offset this overhead.