BeyondTrust Warns That Microsoft Offers Little Relief to Enterprises Seeking to Lock Down Windows 7 Deployments

New User Account Control "Slider" is Not an Effective Enterprise Feature; Introduces Options That Both Lessen Desktop Security and Increase Risk of Malware Installation

PORTSMOUTH, NH. – September 3, 2009 — As the October 22 release date of Microsoft Windows 7 approaches, BeyondTrust Corporation, the first provider of Least Privilege Management solutions, is urging enterprises to conduct a thorough investigation into the changes to User Account Control (UAC) as they consider and prepare for deploying the new operating system. Windows 7 will bring little relief for enterprises seeking to deploy end users as standard users, i.e., users without administrator rights. While changes to Windows 7’s UAC benefit the home user market, enterprises must be aware that the new "slider" feature is only for administrators and may increase security risks.

Microsoft introduced UAC in Windows Vista to reduce the frequency that users run with administrative privileges, thereby limiting the ability of malware to install on desktop systems. Despite its good intentions, Vista’s UAC was widely criticized due to its frequent user prompting, as well as application compatibility issues for standard users. In response to the feedback that users were forced to respond too many prompts, Windows 7 features a new approach to UAC, providing a four-position slider feature to control how often UAC pop-ups occur. This feature is only available to users logged in with administrator rights. The lowest setting disables UAC, a popular feature request by Vista home users. Windows 7 introduces no new features to solve the application compatibility issues experienced by standard users.

"For enterprises, there is little benefit to the changes to User Account Control in Windows," said John Moyer, CEO of BeyondTrust. "Windows 7 introduces cosmetic changes to reduce the prompts that plagued Vista, but it does nothing to fix the underlying productivity and usability problems for standard users, which is the preferred and most secure configuration for a growing number of organizations. Enterprises must recognize that Windows 7’s UAC slider puts end-users in charge of the security decision of what to run with administrative privileges, which is essentially an invitation for malicious users, hackers and malware."

In order to take advantage of the new slider settings in Windows 7 UAC, enterprises must deploy users as administrators, giving them full control to make any changes to the operating system, such as unauthorized installations and disabling of security measures such as antivirus software. As a result, the most secure configuration option for enterprises remains running end users as standard users, with administrator rights removed. In fact, recent research by BeyondTrust shows that 92 percent of all critical vulnerabilities announced by Microsoft in 2008 could have been mitigated by eliminating admin rights.

Despite growing CSO and CISO recognition of the need to deploy end-users as standard users, and requirements by the Federal Government for the removal of administrator rights under the Federal Desktop Core Configuration (FDCC) mandate, Windows 7 includes no significant changes to UAC for standard users. As a result, enterprises will still be unable to create policies that allow standard users to transparently install and utilize approved applications that require administrative privileges. Companies that seek the security benefits of removing administrator rights from end-users will suffer the adverse productivity and technical support impact of no longer being able to run critical applications that require administrative privileges or install approved software.

For enterprises seeking to eliminate administrator rights on end user systems while transparently elevating permissions for authorized applications, BeyondTrust Privilege Manager remains the best and most secure option. In fact, Microsoft took the step of recommending Privilege Manager as part of a “best-of-breed solution to the Least Privilege problem” for enterprises running Windows Vista. BeyondTrust’s award-winning Privilege Manager software is implemented as a Group Policy extension. Organizations simply specify the privileges necessary for an application. These privileges will be added to the application process when it is launched enabling end-users without administrative privileges to run all authorized applications. Privilege Manager reduces support costs and provides great flexibility for maintaining standardized desktop configurations, such as those specified in the Federal Desktop Core Configuration mandate.

For enterprises seeking to eliminate administrator rights on end user systems while transparently elevating permissions for authorized applications, BeyondTrust Privilege Manager remains the best and most secure option. In fact, Microsoft took the step of recommending Privilege Manager as part of a "best-of-breed solution to the Least Privilege problem" for enterprises running Windows Vista. BeyondTrust’s award-winning Privilege Manager software is implemented as a Group Policy extension. Organizations simply specify the privileges necessary for an application. These privileges will be added to the application process when it is launched enabling end-users without administrative privileges to run all authorized applications. Privilege Manager reduces support costs and provides great flexibility for maintaining standardized desktop configurations, such as those specified in the Federal Desktop Core Configuration mandate.

To speak with John Moyer about the issues enterprises must consider when evaluating Windows 7’s User Account Control, contact Dave Bowker or Tiffany Archambault at (781) 684-0770 or beyondtrust@schwartz-pr.com.

About BeyondTrust
BeyondTrust Corporation, a pioneer in Least Privilege Management, enables enterprises to move beyond the need to trust users with excess privileges or administrator rights. BeyondTrust Privilege Manager was the first product to enable the security best practice of Least Privilege in Windows environments by allowing administrators to assign end-users permissions for required or selected applications. With Privilege Manager organizations can remove administrator rights and still allow end-users to run all required Windows applications, processes and ActiveX controls. By eliminating the need to grant administrator rights to end-users, IT departments can create a more secure, compliant and standard environment. More than 500 organizations worldwide in virtually every vertical industry rely on BeyondTrust Privilege Manager to secure their enterprises. For more information, please visit www.beyondtrust.com.

Contacts:

Dave Bowker or Tiffany Archambault
Schwartz Communications, Inc.
(781) 684-0770
BeyondTrust@schwartz-pr.com