Last month, I reviewed some frightening trends in our cyber-insurgency universe and closed with a plea to vendors that provide online updates to eliminate the local administrator rights requirement. With local administrator rights, malware can inflict greater damage on the local system and systems on which the local account has elevated rights.
In today’s patch-or-die world, online updates are fast becoming an industry standard. Most major hardware and software players, including vendors of virus and spyware scanners, offer this technology. In some cases, you can avoid granting local administrative rights by installing and configuring each vendor’s push technology. Push technology adds another layer of complexity to managing desktop security: You need the hardware and disk space to store updates; you must learn how to install and configure each vendor’s push application; you need to verify that updates are downloaded successfully; you might need to review, test, and manually approve updates and you must verify that the push technology is actually distributing updates and backing up each push application and its associated patch files. You also need to monitor security holes that can let a malicious user compromise each vendor’s online update and push software. (Aside to vendors: Are you aware of any security flaws in your online update or push software? Do you test new versions for potential security holes? Do you disseminate such information?)
Implementing internal update servers is a manageable task for companies with a large budget and requisite technical expertise. Small and mid-sized businesses have smaller budgets and less technical acumen; thus they're more vulnerable to cyber threats and damages. Implementing internal update servers and push technology as a workaround for the local administrator rights problem shouldn't be necessary.
I recently took on the task of eliminating Symantec’s Antivirus Corporate Edition administrator requirement for a mid-sized business. I’m singling out Symantec only because I had to solve this particular client's problem; I’m sure other valid examples exist (HP’s Photosmart software, for one). I also need to acknowledge that the client is running Antivirus Corporate 7.5, and newer versions might already have addressed these concerns.
I searched Symantec's support site for the terms “administrator,” ”rights,” and “liveupdate” and turned up a whopping 94 articles, most of which affirmed that you can't run Symantec’s LiveUpdate utility without local administrator rights. I found an article that explains how to fine tune how LiveUpdate operates. The article "Restricted users cannot run LiveUpdate under Windows 2000" (Document ID: 2000100614565548) offers two methods for running LiveUpdate without local administrator rights.
If you don’t want to implement the company’s managed client software, you can use either method on a single machine, a group of machines, or across an enterprise. LiveUpdate in Antivirus Corporate client 7.x and later uses the registry value entry EnableAllUsers to determine whether local administrator rights are required. When this entry has a value of 1, any logged-on user can run LiveUpdate manually. During testing, LiveUpdate also ran as scheduled when nobody was logged on, although the reference article doesn't document this feature.
To enable LiveUpdate for any user, start a registry editor that lets you change the permission mask on registry entries. Navigate to the HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6\CurrentVersion\PatternManager registry subkey. Make sure the value of the EnableAllUsersentry has a value of 1. If the entry EnableAllUsers is not present in the right-hand pane, create it, give it a data type of REG_DWORD, and a value of 1. If you want to make this change on multiple systems, you can use a registry script. Open a text-only editor, paste in the following code, and save the file as liveupdate.reg.
To run the script, simply double-click liveupdate.reg file on each system. The article doesn't tell you to restart the virus client service or reboot. If the code reads this setting every time it runs, you should be able to log on as an ordinary user and manually run LiveUpdate. If the manual update fails, restart the Symantec AntiVirus Client service and try again. You can disable a non-administrator update by setting EnableAllUsers to zero or by deleting the EnableAllUsers value entry.
If you operate in a more secure environment, you can fine tune LiveUpdate to run only for a specific user or group using the second method documented in the article. The instructions tell you to grant Full Control to the user or group for several registry keys and directories. When a user has Full Control on antivirus registry keys and directories, malware running in the context of the user can delete the keys and directories, possibly disabling the scanner.
After experimenting, I determined that LiveUpdate will run without Full Control (Symantec, please address this in your documentation). I removed permissions that let the user write an ACL or change the owner of the key, but I didn’t have time to isolate the minimum set of permissions. I also discovered that the ACL on the HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps subkey must enable the Create Subkey permission. I’m not sure I understand why, unless the code is using this portion of the registry as a temporary buffer. Each time you change the permission masks, close the registry, restart the client service, log on as an non-administrative user and verify you can manually run LiveUpdate.
The article states that these registry changes let a logged on user run LiveUpdate manually, but doesn't discuss whether LiveUpdate will run when nobody is logged on. After making these modifications on a Windows XP Service Pack 2 (SP2) test machine, I verified that the manual update worked. Next, I scheduled LiveUpdate to run and logged off. When I logged back on as an ordinary user, the date and time field indicated that LiveUpdate had successfully downloaded new definitions.
Purveyors of online update technology can significantly reduce the potential consequences of malware by eliminating the need for local administrator rights and by eliminating the need to touch every desktop with registry modifications to accomplish this goal. When you multiply the time it takes to propagate such changes by the number of online update utilities, the workload in our patch-or-die universe increases immensely. Instead of giving us client-management code that requires more hardware, software, manpower, and dollars, vendors should implement updates that run securely in the user context and with the fewest permissions possible. Feel free to add the name of other vendors who implement updates this way in the Comments section at the bottom of this page.
End of Article
These practical articles/columns are invaluable. Thank you.
RRex January 25, 2005 (Article Rating: )
Paula, thanks, great article.
PEKnox January 25, 2005 (Article Rating: )
This is a VERY useful article. I did not know that I am vunerable to a hacker with local rights set wrong. Thanks.
Hosea C. Logan, Jr.
Anonymous User January 25, 2005 (Article Rating: )
I am confused. you are using SAV CE and NOT using Symantec's Console on the server? You can do lots of things with that including allowing and disallowing users to launch liveupdate, letting the clients (computers) update from Symantec or your own servers, and lots of other stuff.
Anonymous User January 26, 2005
If you are using Symantec Antiviris Corp Addition the user should not have to do an update that can be pushed out from the Syamtec Center console. Doug@imiw.net
Anonymous User January 26, 2005
You might want to tell your client to upgrade, as 7.5 is not supported any longer. It is a VERY old product, and does not provide the protection and features of the newer products.
The below URL will give you more information about the product, however, Version 7.5 was "EOL'd" in March of 2004. Version 7.6 EOL's in March of this year.
The practicality of the information is in direct proportion to it's usefulness, and since LiveUpdate can be run by users that are not local administrators since version 7.6, this is mostly irrelevant.
But thanks for trying all the same.
Just my 2¢, YMMV.
~j.
Anonymous User January 27, 2005 (Article Rating: )
I would think that someone with a byline that reads, " Paula Sharick is contributing editor and online columnist for Windows IT Pro and a consultant specializing in Windows configuration, support, and security." would not continue to remove features like a centralized administrator console for a company, but would instead, position that organization for an upgrade, to a newer, more protective software revision.
As a security practitioner, I would NOT remove the centralized administration console from the environment, but would configure it to provide automatic updates, as the product was designed. Paula noted that the client is running an old version of the AV software, in fact, as noted by the previous poster, a NON-SUPPORTED version. Are they running Windows 3.11 as well? What kind of information is this? Sorry, this is a very misleading article, and one that should be shown as "HOW NOT TO CONSULT WITH A COMPANY", or "WHY SECURITY FAILS" instead of the current title.
Anonymous User January 27, 2005
I would agree - if one writes an article it should be based on a current version. Symantec should contact Paula and explain outdated vs current. But again this is a free article and once the information is published the author is on to the next article. So don't expect Paula to respond.
Anonymous User January 29, 2005 (Article Rating: )
Paula Sharick Keeping Up with Win2K and NT InstantDoc #45205 Web Exclusive ----------------------------------- Yeah, keeping up with NT, good luck, Win2k on it's way out (where's service pack 5). No exclusive here.
Anonymous User January 29, 2005 (Article Rating: )
yup...our current version is 9.02 and as far as i recall this feature was in there at least by 7.6 if not 7.5. it is a setting in client options in the SSC.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
)
)
)
)
RRex January 25, 2005 (Article Rating: