Allowlists and smooth workflow: do they contradict each other?

IT workers routinely set up limited privileges for all users for security sake. However, the users are extremely suspicious about these sorts of limitations, assuming (sometimes reasonably) that it will affect the workflow. Is there a way to mitigate these contradictions?

Securelist recently published an article by Kaspersky Lab’s expert Kirill Kruglov: “Breaches in corporate network protection: access control”. In his article, Mr. Kruglov displays a somewhat unorthodox attitude towards the common approach system administrators use to protect critical systems from unauthorized changes and reduce the possibility of attacks on the corporate network.

IT workers routinely set up limited privileges for all users, other than administrators. At the same time any of them can log into the system remotely to quickly repair a failure; sometimes all admins use a “shared” account. Almost anyone can get local administrator rights on request. Overall, according to Kruglov, the traditional protection of users is based on the principle “it is better to miss malicious software than to block something really important”.

“In reality, though, the lack of administrator rights is not a serious obstacle for either malicious software or a hacker penetrating the corporate network. Firstly, any system has dozens of vulnerabilities that open the necessary rights up to kernel level privileges. Secondly, there are threats which only require standard user privileges to be implemented”, Kruglov writes.

Actually, an effective protection of critical systems needs much finer attunement to prevent both local and domain attacks, and much more discretion from the IT staff. It’s not enough to limit access to everything for everyone but admins. Kruglov acknowledges many users are suspicious of any restrictions, expecting a negative impact on workflow, even when there is none.

In order to protect the company infrastructure as a whole effectively, it is necessary to know exactly what requires attention and protection: what equipment, which subsystems, etc., and what kind of protection is required for each of them. Then, levels of access should be established for the users according to the business processes and users’ roles. Kruglov specifically lists these demands for efficient protection of critical systems in the beginning of his article.

In the end, he reiterates that it is almost impossible to provide a high level of protection for workstations simply by denying users administrative rights. Additionally, installing antivirus software on a workstation will not solve all problems. He insists Application Control tools with built-in dynamic allowlists – the technology intended to check the authenticity of an application – is the best choice.

While Default Deny – an approach that only allows the trusted applications to run – may look excessively restrictive, in reality it allows higher flexibility for the end users, more than just axing their privileges on local systems. With Application Control tools, users don’t have to continuously stumble upon the annoying limitations. At the same time, possible attack surfaces and chances for criminals to get through are extremely limited.

The full text of the article is available here.