Lieberman Software

February 2010

Top of Mind
The Best Tool for the Job when the Job does not Exist

Philip  Lieberman, CEO Lieberman Software

Recently we received an inquiry from a major customer that described a scenario where they wanted their end-users to be able to run arbitrary (from a controlled list) programs as an administrator without the need for administrator credential disclosure.

I thought users did not need administrator access anymore…  What made this call so interesting is for the past 5 years, we and other software manufacturers have been modifying our products to eliminate the requirement for administrator credentials to run our applications. From our perspective, we have seen very little need for end-users to ever have access to administrator accounts for their local machines except in emergency situations (i.e. safe-mode repairs).

More than just applications…  In doing further research we discovered that the core problem was not only applications, but that they needed users to do things like: change the clock time, change the IP address, install device drivers, and other day-to-day things that require administrator privileges in Windows XP. Thinking through the requirements, it occurred to me that this customer’s needs were primarily the result of the IT department being overwhelmed with support costs caused by their use of Windows XP.

The plot thickens…  When I asked what platform the client was running, they said they were moving over to Windows 7.  Fortunately in Windows 7, all of the day-to-day configuration and installation tasks that previously required administrator access in Windows XP are now user level privileges that no longer need an admin account. Going further, just about all applications written or revised over the past 5 years also no longer require administrator privileges.

One recurring theme I have been pushing to our enterprise customers is to upgrade to Vista or Windows 7 because of its superior architecture and vastly improved security. Strangely enough, the improved security means that users no longer need administrator accounts, and in many cases, anti-virus software is no longer absolutely required (you have to have protection software installed in Windows XP).

So where are we?  In the case of the client who wanted to provide escalation of users to an administrator using a third party add-on, I am not sure why they would want or need this capability. My best guess is that they are not familiar with the evolution of software security over the past five years, nor are they familiar with the improved security and lower IT TCO of the operating system they are migrating to.
When the unnamed client above deploys Windows 7, their clients will stop calling the IT help desk to do the routine administrator-only account tasks, and they will no longer need to worry about applications that run as administrator. Yes, Microsoft fixed this shortcoming in Windows XP.

Legacy Product Vendors: A very fine business for XP users...  For the vendor that makes transparent user escalation software, there is still a market for customers that continue to use XP. This is the same market that will continue to reap vast rewards for ISVs to provide them with mandatory anti-virus and anti-malware solutions. For those organizations that make the leap to Windows 7, they will find a simpler, more secure, and lower cost platform that no longer needs add-ons to cover the mistakes and limitations of older operating systems.

A little plug for our solutions!  You still need to randomize those common administrator accounts in Windows 7 and provide appropriate delegated access to those that need it in emergencies. Even in Windows 7 and Vista, you still need our products to manage privileged identities. However, users will rarely need to access their local administrator account on these new and more secure platforms.
What do you think? Feel free to write me directly:

Tech Tip of the Month

Enterprise Random Password Manager: Recovering Local Passwords

Recovering your local account passwords with the ERPM/RPM Software Development Kit takes only a few simple steps. See how to do it in under three minutes in this new webinar.

Lieberman Software Corporation
1900 Avenue of the Stars
Suite 425
Los Angeles, CA  90067

(01) 310-550-8575

Partner News
  • Oracle Partner Video
    Philip Lieberman Discusses how Lieberman Software and Oracle are Working Together to Secure Large Enterprise Environments in this 2:44 video.
  • We have implemented a number of Technology Integrations over the past few months. Want to know more? Visit our Technology Integrations site!

Product Updates / Launches / Podcasts
  • Whitepaper: Who Holds the Keys to Your IT Kingdom? This guide examines four key steps necessary to secure an organization's privileged identities. It describes basic, manual and ad-hoc processes that can improve control over privileged access along with automated alternatives to further reduce the risks of data breaches and operational disruptions while improving staff efficiency and management oversight.

Events / Press / Analysts
      •   Did you know? You can now follow us on Twitter!
      • Los Angeles Times, February 2010French judge issues arrest warrant for cyclist Floyd Landis in alleged hacking incident. Lieberman said he would like to ask the lab who had access to the system. "An interesting question about this," he said, "is - was there a third party involved that had authorization to get through the firewall to see results and shared that account?"
      • Network World, February 2010: Credit card data security: Who's responsible?   In this article, Philip Lieberman argues that last year's data breach at Heartland was less the fault of the company's, and more the result of the lack of smart card technology that credit card issuers refuse to issue in the United States.
      • Redmond Magazine, February 2010: Microsoft Reports Bug in Web Security Protocols. "This type of bug/limitation is not particularly surprising given that this type of exploit requires that a hacker have a very high technical capability as well as the ability to tap into secure network sessions," Lieberman said. "It is an interesting technical exploit, but not particularly likely."
      • Dark Reading, February 2010: Database Account-Provisioning Errors A Major Cause Of Breaches. "They have to ask themselves the question, 'Where do we have accounts? Tell me all of the places where we have accounts and tell me all the things they use these accounts for?'" says Phil Lieberman of Lieberman Software, which specializes in privileged user management.

      Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.