Viewfinity provides privilege management for endpoints and servers, empowering enterprises to meet compliance mandates, reduce security risks, and lower costs. Viewfinity helps organizations manage least privilege environments by controlling end user and privileged user rights for applications and/or reducing permissions for privileged users. Along with this core competency, we provide the most comprehensive solution available for tracking and auditing all privileged and administrative activities and elevated privilege policies across an organization's entire infrastructure, from Windows-based endpoints, to servers, virtual machines, cloud/SaaS, and remote based-endpoints. Viewfinity can be implemented via our SaaS platform, through on-premise servers, or within Group Policy.

In the following interview, Leonid Shtilman, CEO and Co-Founder of Viewfinity, discusses 1:1 with Rake Narang, Editor-in-Chief of Network Products Guide, what auditors are looking for when they drill into the level of security risks of privilege creep.

Rake Narang: You mentioned that removing admin rights is a well-accepted fundamental layer of protection for endpoints. Why is the problem of privilege creep still a challenge to IT?

Leonid Shtilman: Indeed most organizations do recognize that removing administrative rights from users is a well-accepted strategy for combating security breaches. Privilege creep results by not having a proven method in place for helping users that legitimately do need administrator rights to effectively perform their daily job tasks. Ultimately what happens is that the IT staff removes admin rights only to turn around and “temporarily” grant rights to users who end up needing them for a specific usage. Even for privileged users – you’ll grant them rights so they can resolve a particular problem or work on a project. If you forget to revoke the old privileges, the user may have access to more information than they need. You can see how privilege creep occurs over time because the number of users with administrative rights creeps up and up, until you no longer can keep track of who you gave rights to.

Rake Narang: What types of things are auditors looking for when they drill into the level of security risks of privilege creep?

Leonid Shtilman: Any privileges you hand out should be controlled and you should hand those out very judiciously. Auditors require a method for companies to regularly report who has both domain and local administrative privileges and a system that can remove these privileges if they are not needed.

At a minimum, the use of these higher-level privileges should always be audited. Whenever someone uses their administrative-level privileges, you should always know that and be able to track and report on how privileges are used. For example, when an administrator creates a policy or uses his privileges to create an account, there should be a corresponding audit log that tracks the administrator’s actions and activity. This way, audit teams gain a clear understanding of which privileges are being utilized by the IT team. During a corporate audit, it is critical to have the ability to identify the administrators who are enforcing your privilege policy rules.

A typical use case could be an ex-employee system admin whose domain account is disabled and\or remove from the Domain Administrators group. Auditors have learned that this isn’t always the same case with local administrator accounts, and a disabled domain account won’t prevent an IT administrator from logging into a system with a known local administrator account. Auditors are looking to protect organizations from this loophole that exploits administrative rights on laptops and desktops, and through that path, gain a position to infiltrate servers.

Rake Narang: Do you have any benchmark statistics you can share regarding how privilege creep “creeps” up on companies?

Leonid Shtilman: This information isn’t easy to come by purely due to the nature of privilege creep – all too often it’s difficult for companies to keep track of who they’ve given rights back to. Nonetheless, we were curious about this ourselves so we decided to informally survey IT administrators who had downloaded our free tool that discovers user accounts and groups that are members of the local “Administrators” built-in user group on computers in your Windows domain. The survey showed that after running the Viewfinity Local Admin Discovery tool, 36.4% of the respondents found between 15-25% had local admin rights and 23% of the respondents found that over 50% had local admin rights. The analysis also revealed the statistics shown below as related to privilege creep in the context of Local Administrator Rights:

Company: Viewfinity
303 Wyman St. Suite 300
Waltham, MA 02451 U.S.A.

Founded in: 2007
CEO: Leonid Shtilman
Public or Private: Private
Products and Services: Viewfinity Privilege Management
Company's Goals: Viewfinity intends to continue on its path of success in 2012 by growing revenue, acquiring new customers and beating our 95% renewal rate with our existing customer base. We will strive to increase awareness in the market regarding the importance of abiding by the principle of least privileges and the number of security risks this practice mitigates.