What is the single most important way to improve endpoint security? According to Gartner’s Neil MacDonald, organizations should remove administrative rights from all users. Administrative rights on enterprise endpoints provide users with complete control over the device. These rights allow users to install software, change the Windows Registry settings, change a wide variety of configuration files and generally do whatever they want on the device.

So, why are administrative rights a problem? Mainly because users might change the endpoint configuration or install unauthorized software. If a user installs benign unauthorized software, at most, it will become a nuisance. However, if unauthorized software is malicious and installed under administrative rights, its impact can be devastating.

Additionally, since many Windows vulnerabilities that enable code execution do so in the context of the logged-in user, exploits might be able to execute without any restrictions on the endpoint. Therefore, we certainly agree that limiting administrative privileges for corporate end users improves the organization’s security posture, however, it’s not a panacea. Also, in today’s environments, which support BYOD policies and the consumerization of information technology, removing administrative rights for endpoint security is often unfeasible.

Protecting Endpoint Security

Removing administrative rights from the user does not prevent advanced malware infections. In his blog, MacDonald wrote that removing these rights isn’t a “lockdown,” users will still be able to install software, drivers, ActiveX controls and more — including potentially malicious files. Moreover, today’s advanced malware does not require user interaction or administrative rights to compromise an endpoint. Drive-by downloads, which exploit browser vulnerabilities and browser plug-in vulnerabilities, can infect the endpoint when a user simply views a compromised Web page, with or without administrative rights.

This was the case in a recent malvertising campaign recorded by the research team at IBM Security. The attack utilizes a Java zero-day vulnerability (CVE-2013-0422) to automate the exploitation of the Java virtual machine. Embedded into ads that are displayed on legitimate websites, the exploit is able to automatically infect users with unpatched browsers when they visit these sites, even when the users don’t click on the ad.

It is important to note that advanced malware can infect an endpoint when running under the context of either “administrative” or “standard” user rights, and in both cases, the malware can survive a reboot.

Read the Free e-Book: Stopping Zero-Day Exploits For Dummies

Drive-by downloads are a top attack method and are growing in popularity among hackers. Today, drive-by downloads that are completely independent of user interaction pose a significant threat to enterprises because they are so difficult to prevent. Attackers are taking advantage of the fact that many enterprises fall behind on patching endpoint vulnerabilities and are also exploiting zero-day vulnerabilities for which a patch is not available.

We agree with MacDonald’s recommendation to use application control and white-listing to lock down environments. Furthermore, we recommend that enterprises implement an exploit-prevention security layer that uses application control and white-listing technology to effectively protect vulnerable endpoint applications.

More from Endpoint

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…