Removing admin rights to secure desktops
Removing admin rights to secure desktops
Improving desktop security is a priority for nearly all hospitals. This is fueled by an increased recognition of the threat unsecured desktops pose as well as a need to meet HIPAA compliance regulations. An unsecured desktop can give unauthorized access to data, which is an enormous concern for workstations with access to patient information. And as IT administrators know all too well, a compromised desktop can slow user productivity and take hours of help desk attention to fix.
Many hospitals have struggled with implementing security solutions. Many proposed solutions for securing desktops fall short, either requiring too-onerous IT management, demanding large amounts of new IT infrastructure, or simply not providing adequate protection.
One network of hospitals, Gwinnett Medical Center outside Atlanta, found a solution by enforcing the security best practice of Least Privilege in their Windows network. It's based on the realization that every time a user is granted privileges that go beyond what is required for a specific task, the system is put at risk. In a Least Privilege environment, users have the privileges necessary to perform their duties only when they need them.
In addition, in a Windows Least Privilege environment, end users are not entitled to local administrator rights. End users' administrative rights can be used by unauthorized users and hackers to compromise computer systems. The majority of malware and spyware requires administrator rights in order to install. By removing administrator rights from users and granting only the most restrictive privileges necessary for the performance of an authorized task, a hospital can limit the damage that can result from a security breach or malicious user.
While this may seem like a simple model, organizations often struggle to implement it because of the number of activities users must do for their jobs that require elevated privileges. Indeed, many applications require administrator rights to operate correctly, or even at all. Activities such as installing authorized software and ActiveX controls also require administrator rights.
Removing admin rights
Gwinnett Medical Center is a not-for-profit healthcare network that provides a wide array of services and facilities to Gwinnett County, GA and the surrounding area. Gwinnett Medical Center includes three hospitals and additional supporting medical facilities. In all, it has approximately 5,000 employees and more than 700 affiliated physicians.
One motive behind the final decision to remove administrator rights was to address the issues Gwinnett Medical Center was experiencing with malware and unauthorized installations.
Keith Brown, a Gwinnett Medical Center network administrator said, “We recognized that if we could not prevent users from installing whatever software they wanted, we would not be able to enforce security. With administrator rights users can install something on a whim or even alter security configurations and unknowingly become a gateway for malware. If the IT group doesn't know what is installed and the configuration settings on a computer, how can they enforce security of it?”
Malware usually gains access to computers through the actions of users who do not always think of the security implications of their actions.
"Malware and spyware usually hit users when they are unaware, meaning that they are doing something and see a message for something free or an offer for something appealing. The user clicks on it and the system is then infected. Users have a hard time resisting," Brown noted.
There have also been isolated cases where the wrong people inside the hospital gained too much access.
"There have been cases where outsiders accessed a computer, sat at a computer or worked in conjunction with someone with access to a computer to get at information," he said. "That's a risk I worry a lot about because there's a cottage industry that's out to steal and exploit patient information."
Gwinnett Medical Center had deployed Windows XP and Group Policy enterprisewide when they removed administrator rights.
“Everyone in our whole Windows 9x environment had local administrator rights,” said Brown. “While in the process of deploying XP we kept encountering applications that required users to have local admin rights in order to run. Our help desk was not well-suited to deal with this. The issue was driving our users nuts as they felt they had lost control.
“As we were also deploying Group Policy, we heard about a solution to this problem, a system from BeyondTrust called ‘Privilege Manager,' which uses the Group Policy infrastructure to create policies,” Brown said. Privilege Manager is implemented as a Group Policy extension and enables IT administrators to specify the application and which permissions and privileges should be added to the process token when the application is launched. “Now, everyone in our environment is only allowed a small privilege level and just a handful of people -- a few IS staff members and C-level associates -- have administrator privileges."
Brown said that “many application vendors have made the general assumption that everyone has administrator rights. This is false. The application user may not have local admin rights and may not have access to where application files are installed or written to.” This will prevent the application from working properly. "Fortunately, that's where the new software came into play,” he said. “We adopted the suite of products and adapted the company's applications to support our needs."
Protecting patient information is a major concern in healthcare and compliance mandates have been put in place to enforce it. The Health Insurance Portability and Accountability Act (HIPAA) stipulates the protection and privacy of patient data.
“In order to comply with the HIPAA requirements it is necessary for the health industry to have control over which applications and people have access to patient information,” Brown said. “A concern is that some applications will incorrectly make private information available to an outside entity. Using our new software and removing administrator rights has given us a way to control what is being used.”
Since the new system has been deployed, Gwinnett Medical Center has seen a decrease in the number of malware attacks and is secured against threats from people inside the hospital. As a result of the reduction in malware and the increased control of what can be installed on the desktop, the help desk receives fewer calls and when called is able to more quickly solve issues.
“First thing we noticed when we took away local administrator rights is that our incidents of malware dropped off considerably,” Brown says. “We also spend less time dealing with odd situations, and can expect a more consistent desktop appearance across the computers we support.”
One of the greatest benefits Gwinnett Medical Center has recognized is that employees and doctors can spend more time doing their jobs.
“Users can now focus on their job tasks and not have to be concerned about whether an application will or will not work for them without administrator rights," Brown said.