On Elevating Users

Graham Gilbert wrote what I think is a really good post about end user security: A pragmatic approach to endpoint security, which echoes a lot of the things I’ve been seeing the last few years, in particular, dealing with the need for elevated rights. While it’s all well and good to say “no admin rights”, the problem is, if you don’t have the infrastructure and ability to really support that, and almost no one really does, then you either severely limit the ability of users to do, well, user things, or you spend a lot of time on silly workarounds, such as the one Graham points out.

Look, if you’ve built an automated system that lets users get “temporary” admin privs, (which are often defeated by the most ridiculous and simple means. For example, on windows, just pop an admin powershell window and leave it open. I’ve seen that extend “you get temp admin rights for n hours only” into days and weeks with ease), and all they have to do is ask, then effectively, you have given them admin rights. You have just added a hoop to jump through and called it “security”. If I can get admin rights and install software, well, most of your security, at least at the machine level, is gone. It’s the silliest of feelgood measures.

It just doesn’t make sense. As Graham says, if you’re tracking what users do, AND reviewing it, (which again, while the tracking is effortless, the reviewing is not, so guess what doesn’t happen much), when they have “temp” admin rights, then why not just do that all the time and get rid of a system that doesn’t do as much good as you claim it does. I will disagree with Graham on the “give yourself admin rights forever” bit, there’s ways to stop that, but again, if there’s workarounds to keep admin rights for as long as your machine doesn’t force a logout or a reboot, then you don’t even have to do that much. Just fill out the form, pop the window that keeps admin-level processes running and forget about it until you have to reboot or log out.

He also brings up a great point on updates. Keeping current on OS versions and updates is the easiest way to avoid vulnerabilities, yet over and over, you see where third-party “protection” tools (CYLANCE) are the worst things in the world because they force you to delay updates until they bless them. Call me kooky, but I kind of trust Apple/MS/RedHat/etc. more on things than a company deciding it knows platform security better than the people actually making the platform. (Do not get me started on Cylance, what a shitpile that is.)

His point on config management is dead on as well. If you’re going to spend the time and effort for device management, (and you absolutely should), then ongoing config management should be a part of that. As well as actual log/user analysis, and not just when “something happens”. Yet I still see Mac (and other platform) admins trusting ad hoc scripts and home-built scheduling tools more than stuff built by people who literally live and breathe that world every day. Why? Right now I’m having to build installer scripts when SCCM is RIGHT THERE and I want to WEEP at the waste of all the time and effort I have. If you’re doing endpoint management/user support, I will guarantee you have more than 24 hours of work due on any given day. Don’t waste time with feelgood bullshit.