Windows security case study: Controlling Windows 7 user privileges

Migrating to Microsoft Windows 7 is becoming more urgent for the many UK companies that still run Windows XP. Support for the old operating system will come to a halt in April 2014, which means no more patches, updates or service packs to protect them.

One solution would have been to make all our users local administrators on their machines, but that would have negated any security gains from moving to Windows 7.

Gavin Wilson,
Oxford University Press

Changing to a new operating system, albeit a more modern and considerably more secure one such as Windows 7, can create problems. Specifically, applications that ran fine in XP can come into conflict with the tighter security constraints of Windows 7.

Some would think this leaves companies with a choice: either re-engineer their XP applications, or loosen the security Windows 7 offers. However, Oxford University Press found another solution: running its Windows XP applications within the confines of Windows 7 security by controlling Windows 7 user privileges.

Windows XP flexibility clashes with Windows 7 security
Gavin Wilson, a senior support analyst for Oxford University Press (OUP), recently faced this dilemma when his organisation – the largest university press in the world, employing 5,500 people – made a wholesale migration from Windows XP to Windows 7. 

“We have a large number of legacy systems that have been built up over many years that are crucial to our publishing business. One of the things we had to do was make these systems run with Windows 7,” he said. 

“Developers had taken advantage of features that had been available in XP, which have now been closed with Vista and Windows 7.” For example, some of the programs wrote to folders in the Program Files directory or accessed hardware, which was fine under XP, but required elevated privileges under Windows 7. If users had standard user accounts, they would be unable to use many of these basic business applications.

“One solution would have been to make all our users local administrators on their machines,” Wilson said. “But that would have negated any security gains from moving to Windows 7, and it would also have led to an increase in help desk calls when users did something wrong by accident, such as deleting a program.”

The problem was not confined to managing legacy applications. With OUP moving strongly into digital products – such as e-books and multimedia educational courses – many users needed to load new programs on to their computers, either for development reasons or for marketing to customers. Even these new applications would be blocked by Windows 7, unless the user had local admin rights.

Controlling Windows 7 user privileges
Wilson started researching the market for technologies that could help. “There were products that touched on the issues of elevation of privilege, but they were part of much larger products,” he said. “They also had their own servers and their own database, and required clients to be installed on the PCs, so they would have incurred a large overhead.”

Wilson then researched Privilege Guard, a product from Avecto, a Manchester-based software vendor founded in 2008 by former executives of virtualisation company AppSense. Privilege Guard promised to manage user privileges without requiring extra servers or databases, and could be managed through OUP’s existing Active Directory.

“It uses our existing infrastructure to make it work,” Wilson said. “It uses a very small client that it installs on the PC, but the controls that make it work are all based around Active Directory group policies; I could apply my existing Active Directory skills to assign privileges.”

The main advantage, according to Wilson, was that Privilege Guard allowed him to elevate user rights on a selective basis for specific users and applications, without giving them full local admin rights.

A successful pilot project with 150 users proved the value of the product for OUP, and it was soon rolled out to all 2,000 of the OUP’s UK-based users. OUP users who need access to legacy applications, such as invoicing or royalties management, can be assigned higher privileges for those applications, while they have a standard user account in all other respects.

At OUP, even developers are granted local admin rights on a controlled basis. “We recently had some developers who wanted to compile an Android application that needed to write in certain areas of the Program Files directory," Wilson said. "Rather than giving them blanket elevations rights, we gave them very specific rights to do what they needed to do.”

Alternative approaches to privilege management
According to Bob Tarzey, an analyst with Windsor-based Quocirca, privilege management is important, but it needs to be applied more broadly to include non-Windows clients, servers and other new mobile devices based on iOS and Android.

“There are two approaches to privilege management,” Tarzey said. “The first is to take basic identities from Active Directory and grant extra privileges on a case-by-case basis, which is how Avecto works. The second is to use password vaults, the way Cyber-Ark Security and Thycotic Software products work. Vaults allow you get a password and use it for a period. Either way, once systems are in place, the use of privilege is controlled and, most importantly, audited."

Managing privileges for different applications
In addition to managing privileges based on Active Directory identities, OUP uses Privilege Guard to block some programs, such as Skype, altogether. Conversely, there are some programs, such as Citrix GoToMeeting, that users may need to run from time to time, which would normally be blocked by Windows 7 for standard users. In this case, Wilson uses Privilege Guard to create a custom security token which grants specific rights for a process. Users are able to run GoToMeeting without elevating their other privileges.

The next phase of the project, Wilson said, will be an upgrade to version 3 of Privilege Guard, which will add enterprise reporting. Wilson expects to be able to report more easily on what users have been doing, which applications they have been using, and where they have been blocked.