Reasons to limit computer admin rights.

July 2nd, 2009

When I started at UMW, as Director of IT Security in 2007, I had planned to remove computer administrative rights from staff, because they are more likely to access sensitive data, but continue with faculty having full control of their computers. My viewpoint aligned with VITA’s policy as well. Since that time both VITA and I have changed our minds. VITA explicitly removed the faculty exemption in June of 2008. At first I didn’t agree with their decision to limit a professor’s computer access, but now I do.

The Conficker/Downadup worm did a number on UMW, and it is probably still doing damage. Infections spread through departments across sections of  the network. There were over 100 known infections and it took DoIT, myself included, over 3,000 staff hours from mid November 2008 through April 2009 to attempt to clean some of these machines. I used to be very confident in my ability to remove viruses, but this worm is very insidious and it installs various other pieces of malware. Part of Conficker’s business model is to get a fee for each instance of malware it installs for clients. Machines of which I was certain were clean would then be reported by REN-ISAC as still containing malicious code.

Viruses have become more sophisticated. In fact, there is malware that can infect the BIOS which means wiping the drive has no effect. What is the best defense against such an attack? Don’t give it the ability to install in the first place. Anti-virus software alone is not enough because the code writers will just tweak the software until the latest definitions can be bypassed. Not surfing the ‘net or reading e-mail with administrative rights is the best protection, and if only everyone would color within the lines of that limitation.

That being said, I completely agree with UMW’s mission and I do not want to stifle academic freedom, especially being an adjunct for three semesters. I worked on several ways to attempt an alignment between security and convenience. You may have seen this page which allows the Help Desk to remotely do administrative tasks, avoiding the need for someone to make a trip to, or from, George Washington Hall.

Another option that I recommended was virtualization. One could have a virtual machine to use as a sandbox and have complete admin rights to it. An argument against that was “Couldn’t that still allow an infected machine on the network?”, and the answer is “Yes”. However, a virtual machine would not be a ‘member’ of the network and should not have the same access to sensitive resources, such as Banner, as a domain machine, and passwords on the VM should not match production passwords. VMs don’t usually run all the time and are often shut down reducing the spread of infection. Infected VMs are easier to replace than infected hardware and the non-physical BIOS can easily be cleaned.

Virtual machine snapshots allow one to return the VM to a known state. I use this technique when research, as a certified ethical hacker, is likely to take me to malicious sites. When done I revert to the previous point and all changes in the VM, including malware, are completely removed. If teaching a class, and encountering an obstacle requiring admin rights, a professor could install the needed application into a virtual machine, that is if assistance from DoIT was not readily available. Faculty at CGPS do not have local admin rights on any of the lab/classroom machines and virtualzation is used often by both students and professors.

The ‘admin rights for faculty compromise’ that DoIT came up with was to create local admin accounts for those requesting such access and demonstrating a need for this capability. This compromise is still a violation of VITA policy, but an exception could be made.  However, my experience has seen little understanding from that organization. Anyway, a local admin account could be used with RunAs to launch programs in the context of a computer administrator. A technique I used for years at the State Dept. was to run a CMD prompt as an admin and programs launched from that window would inherit the needed privileges. I was able to work around every perceived need to ‘log in’ as that account and only used the credentials within the context of my ‘regular user’ login. Web browsers can be launched temporarily solely for the purposes of installing plugins and extensions, for example.

Members of the UMW community have had personal credit card numbers stolen by ‘web browser hijackers’ and fraudulent purchases have been made, even as far away as Mexico. If UMW continues to follow the pre-2008 local admin policy then it is only a matter of time before significant quantities of personal information are compromised.

The decision to remove local admin rights is not a ‘control’ issue, it is a safety precaution.  There was once a time when many of us didn’t have anti-lock brakes, air bags, or even seat belts in our cars, but now we want them, expect them, for our safety and the protection of those riding in our vehicles.  Not using a computer as a local administrator helps protect not only our own computer and data, but also those using the network along with us.

Secunia Personal Software Inspector

May 23rd, 2008

One of the things that I like about Blink is that it has a built in vulnerability assessment tool. However, it reported several false positives on my home machine and the software requires purchase after one year.

Secunia has both commercial tools and free tools that search for software that needs updating on a computer. One of the free versions, for personal use, is called PSI (Personal Software Inspector). PSI doesn’t just look for files that need patching, it is also nice enough to let you know that there is a newer version of installed software and even if software has been EOL’ed (end of life). Of course, the utility has to have information about installed software to keep customers up to date. The application has a “Missing software?” feature so that data about programs can be uploaded to Secunia’s databases.

I’m impressed. Several problems were found on my computer and there was a button for each item that linked to a download to help resolve the issue. By default, PSI only shows “easy to fix” problems but that mode can be turned off. Several other things needed to be fixed and a couple of them were, as indicated, not easy to resolve. For example, after several attempts to update Flash, even after using the utility PSI links to for uninstalling Flash, I had to manually delete some files and then reinstall. Along the way, one of the Flash files that needed deleting was locked and I used handle to find out what program was using it. PSI itself was holding it open, ironically (bug report time).

PSI also gives a button to open up the folder containing the files that need patching. This is handy because on my computer it said that my XML needed updating. At first I thought this to be a false positive but I went through the steps it recommended but the utility still said XML needed patching. There are hints that PSI gives and one of them said to look at the directory where it finds the file(s) in question. The outdated XML binary it found was actually in a directory where I had downloaded and unzipped a program to be installed. Good catch, PSI. Even though that file probably wouldn’t have overwritten the one currently installed, the vendor can now be made aware that the installation bundle needs updating.

I would recommend using Secunia’s PSI on personal computers, unfortunately use on computers owned by “educational institutions”, among others, are not allowed.

Firewire hack

May 15th, 2008

USB ports are something most of us use everyday and they are now near mandatory interfaces on computers. They are commonplace on servers where just a few years ago they weren’t even an option. Many computers now have FireWire ports. Sony calls this interface iLink and the official name is 1394. Firewire is not used nearly as much as USB, even though it is better architecturally and even the slowest 1394 ports can push sustained data faster then the latest USB standards. This port is used mainly for working with digital video cameras and some use this port instead of USB for external drives because it is a bit faster.

There is a new exploit that can take advantage of FireWire ports. Actually, it isn’t that new. Discoverers of the vulnerability notified Microsoft years ago but the world’s largest software maker didn’t consider it that much of a risk. Unfortunately, a hacker has made this a much greater risk by publishing the tools to take advantage of this weakness. An attacker can connect his/her computer to your computer with a 1394 cable and pull your password out of memory…. at in only takes a few seconds. Having a password protected screensaver does not help.

The method used can, actually will, be modified to extract more then just a user’s password. New programs will try to gather disk encryption keys (if any) and even try to get data out of RAM such as information in an open spreadsheet. In short, until OS makers come out with a patch, the current defense is to disable the FireWire port when not in use, or to log off all accounts when the computer is not in use. If a computer is suspended (sleep mode), even hibernating, then it could still be attacked just by waking it up. As much as I prefer using external FW drives, it is wiser to use USB attached drives instead. If you would like steps on how to disable FW ports in Device Manager, post a comment or send an e-mail to ccalvert (at) umw (dot) edu.

Giving Blink a try.

May 17th, 2007


Blink Personal, might be the only security software to add to a PC. Here is a list of features from

  • Blocks and removes viruses, spyware, worms, trojans, and other malicious programs
  • Protection from unknown zero-day attacks
  • Protects against Identity Theft and Phishing attempts
  • System and Application firewalls protect against hackers and unauthorized system changes
  • Intrusion prevention and system protection prevent remote attacks and unauthorized program execution
  • Detection of missing operating system and application patches
  • Detection of weak configurations that leave personal information at risk of being compromised

Another awesome feature is that a another version of eEye’s flagship software is with this product. A personal version of Retina scanner allows for doing vulnerability scans on your own computer, and it only takes a few minutes. Not only does it check for typical Micrsoft vulnerabilities, but other software as well. I was reminded to update my Quick Time and iTunes because they contained critical vulnerabilities.

I was also surprised that it stated there were some critical problems with Word. It said there are no fixes for these particular problems yet, just to be careful what documents you open. At my former job some of the overseas posts where compromised to zero day exploits in Word. So reading this brought back memories of having to change every single password on a network of over 50,000 users.

Anyway, here are some of the negatives to Blink.

  1. It is only free for the first year, but I think I’ll be paying the $29.00 for it next year.
  2. It will report incidents back to the mother ship. This is to allow eEye to make a better product, prevent false positives, etc.
  3. It wants you to uninstall previous security type programs such as anti-virus, personal firewalls, etc. I was already going to uninstall my anti-virus but was looking for a good substitute. Some of the legitimate security tools I use Symantec wants to eat, and I can’t find a good way to stop the program from doing that.
  4. Like many outbound firewalls, it can annoying to get them trained properly. It already understands common Internet software such as Firefox and IE, but it did not like my news reader or Groupwise client, but all seems to be calm now.

I’m going to give Blink a try to see how it behaves. It looks very promising as a different, yet thorough, way of protecting one’s PC.

Update, 18May2007: Blink can be a pain for those that use not-that-popular Internet software. It will take a while to train, and it did eat some of my legitimate-software-that-can-be-used-for-nefarious-purposes, but at least it was easy to tell it to spit it back out and don’t eat it again.

Update, 15June2007:  Blink is now off most of the time.  If eEye would streamline some usability options then this would be a great product.  I rebooted my laptop where I didn’t have any Internet connectivity, and it took over 5 minutes just to shut down Blink.  Skype and LogMeIn couldn’t connect to servers, obviously, so they kept trying multiple servers and multiple ports.  Blink was extremely offended by this behavior and kept asking “Are you sure?” every time Skype or LogMeIn tried something else.

When the “Are you sure?” prompt was up I couldn’t disable Blink via the icon in the tray because this is how the software was designed.  I tried stopping the service but kept getting “access denied”.  So, I had to set up rules in Blink to allow Skype and LogMeIn to be able to talk to any IP on any port before I could stop Blink.  There should be another way to quench a security product’s desire to do good without making one’s computer wide open to external servers.  And it wasn’t just Skype and LogMeIn, there were other things running such as Quicktime, Groupwise and ClamWin that were trying in vain to phone home.

Then again, without Blink, or similar, running then those applications could talk to whomever they’d like.  I do basically trust Groupwise, etc., but I’d like to know when some unknown program tries to open a connection.  Sooo, if there was a better way to simply state that Program X can be trusted (like the behavior of older ZoneAlarm), then Blink would be a more pleasant program.