In our previous post about understanding the Essential Eight, we covered best practices on application whitelisting and user application hardening. In case you missed it, you can read it here.
This week, we want to take you through why you should consider configuring Microsoft Office macro settings and restrict administrative privileges to prevent malware delivery and limit the extent of security incidents.
Restricting Administrator Privileges Should Be a Standard
It’s surprising that administrative restrictions are not a standard for most MSPs today. Speaking to many experienced IT practitioners and our partners, it is unanimous that users should not have local admin credentials to do as they please on company-owned devices. In fact, in most if not all enterprise/corporate environments, this function is locked down by default as a standard business practice to protect data and ensure users are not going beyond their specific functions needed to do their jobs.
So why should SMBs be any different?
Most of your clients may argue that as a small business, they need the flexibility and admin rights help them do their jobs. That’s fair enough, right? But should this come at the cost of their security posture?
As an MSP, this can always be a difficult conversation to have with your clients—the customer is always right, right? Wrong! You as the MSP are providing a service that the client is unable to do themselves, and they rely on you to not only support their IT environments but to also be a thought leader and a trusted advisor. You cannot be that to them if they are allowed to circumnavigate these widely recognized industry standards.
The Reality of User Privileges
Last month at Navigate 2018, I attended a breakout session during which one of our partners asked what would be a fairly common objection that most MSPs face. The answer, which came from another partner, had the room in stitches but also struck a chord. It went a little something like this:
Q: Our clients want to be able to do what they want in their own environments, how can I tell them no?
A: Would you tell a surgeon how to perform a procedure? Some people might, but a surgeon is not going forego their training and experience because the client says so. So why should you?
You probably had to be there for the laugh, but you get my point. IT providers, technicians, and engineers spend countless hours training, re-training and training again, all to keep up with the constantly changing IT industry. It’s your job to provide this service to your end-clients, and in most cases, this training and experience is doesn’t come free or cheap. While the client has the right to question your services, you should be utilizing your know-how to educate them on why they should be implementing what you’re recommending.
Why Does Microsoft Offer Macros If It’s Considered a Security Vulnerability?
Simply put, macros weren’t intentionally designed for malicious purposes. They were designed to help automate workflows of common tasks in the Office suite to improve productivity. Then, someone decided to flip the script and use macros for nefarious and potentially destructive intent.
Despite this, macros are still widely used today and can be an effective tool. Microsoft has greatly improved their security around macros, and malware being spread by this method has since decreased. This was achieved by notifying a user of potential untrusted macros embedded in a file, allowing visibility into certified known macros, and providing the ability to use only trusted macros. Today, a user would need to go out of their way to download a macro file and ignore these warnings to be affected.
But, Murphy’s Law dictates that "whatever can go wrong, will go wrong."
So why take the risk when you can simply remove the potential for human error, nullifying the risk by essentially ‘idiot proofing’ these applications by locking down these measures. This potentially saves you and your clients a lot of time, stress and money in the long run.
What If This Is a Deal-Breaker for My Clients?
If you have explained the benefits and concerns regarding what is a simple but effective way of securing their environments and the client still does not agree to those terms, then do you really want them as a customer? At the end of the day, if something happens due to leaving these items exposed, who do you think they will blame? The negative effect of an event like this happening with them as a client is arguably higher then losing their business for trying to uphold their best interests.
Our CEO, Michael George talked about the security landscape in detail and provided some key takeaways from his Navigate 2018 keynote:
"Over the next two years, more small businesses will fire their current MSP and hire another all because of security incidents. SMB clients don’t want to buy IT services from one MSP and security from another, so providers that don’t have a plan to deliver comprehensive security to clients will be at a disadvantage."
These predictions are already being experienced by MSPs today. Clients are expecting their MSP to already be looking after their security requirements, making MSPs accountable whether they like it or not. There is a massive difference between ‘expectation’ and ‘reality’ when it comes to security offerings today. Unless you have clearly defined contracts, the perception by the client is that it will be the MSP’s fault if there is a breach.
How Do I Monitor These Types of Events and Prevent Against Attacks?
In many cases, you may not be monitoring whether admin permissions have been provided to a user on a regular basis. You and your client would not know that a vulnerability has been opened until your next security assessment, which comes around every six to twelve months. By then, it might be too late.
Continuum can provide the tools you need to identify vulnerabilities, report risk, mitigate threats and remediate attacks against your clients. Through Continuum’s partnership with RapidFire Tools, we provide you the ability to easily run these security audits and assessments any time you need. Additionally, through Continuum’s Profile & Protect product, you will be able to persistently monitor users admin permissions in near real-time as well as many other configuration items that may leave your clients exposed to vulnerabilities.
By Lily Teplow
By Gretchen Hoffman
By Gretchen Hoffman