10 Critical Steps to Survive a Ransomware Attack, Step 1: Drop Administrator Rights

This is part 1 of a 10-part series of articles on protecting your business assets from ransomware. You can read the articles as a series of blog posts, or request a copy of the entire series in this free whitepaper: 10 Critical Steps to Survive a Ransomware Attack.
Step 1: Drop Administrator Rights
One of the absolutely most effective ways to shield your network from viruses and spyware is to not log on to your computer as an administrator. As soon as I say this, I usually encounter some resistance because users think that giving up admin rights equates to giving up power. In a way, you are, but for decades I’ve likened full admin rights on a computer to walking around with a loaded gun that might go off at any minute, and pointing it at people (including yourself). I have seen plenty of damage done by users who thought they needed (but really just wanted) administrative rights over machines, and in truth, they did not.
My rationale for not wanting admin rights is as follows:
  • Administrative rights give you the ability to install programs.
  • Viruses, spyware, and other malware are programs. Therefore,
  • administrative rights give you the ability to install viruses, spyware, and other malware.
People sometimes think I mean they would intentionally attempt to install viruses, spyware or other malware, but that’s not what I’m saying. The problem is that viruses, spyware and their ilk either pose as legitimate software, like a browser plugin (“You need a new video player to watch this movie. Click here to install!“) or an email attachment which you think you want to run (“Click here to view this greeting card!“).

As an average user, you do not require administrative rights to run your own machine. If programs need installing, then this is something you (or your administrator) should do separately, under a special, administrative account. You do not need to be an admin all the time. This is the principle of Least Privilege: you have only the minimum power that you require to do your job. Extra rights means extra responsibility and the potential for extra damage.

Let’s take some non-IT examples. Consider your workplace.

  • Does every employee have a master key, allowing them to get into any and all rooms, offices, closets, safes, on the premises?
  • Does every employee have the ability to write checks from the company checkbook?
  • Does every employee have the ability to sign contracts and enter into new business agreements or hire new employees?

(Note: If you answered “yes” to any of these and you have more than two employees, you can probably stop reading right now, as you have larger problems that I can’t begin to address in this forum.)

Now, I do realize that the three examples could be potentially more of a risk than administrative rights over a desktop PC, but consider the example where a user has admin rights over their PC, and, by one way or another, that PC is compromised by some form of malware. That malware in turn is used as a springboard to launch an attack against the company’s servers. Once compromised, all data on the server is available to the attacker, including emails, client/patient/student/employee/payroll records, financial data, etc.

No, You Don’t Need That Program Installed

We commonly get asked “but what if I need to install XYZ program?” I answer “then you should call us and we’ll do it for you.” At first blush, this may sound a bit excessive, but in reality, it is not. Installing software, while easy, is an avenue for security holes. You should not need to be installing software on any given day. Generally, after the first week or two, everything you need installed on your system should be installed, and you should be good to go without administrative rights. After that, it’s usually some sort of actually needed software package which, once installed, is all set and doesn’t need much care and feeding afterward, so again, I recommend to my clients that we do software installs for them.
Why Is My System Slow?

When people ask me “why is my system slow,” the answer is almost always because they have unnecessary software installed (malicious or otherwise).

  • You have to have administrative rights to install software.
  • When you install software, it frequently installs an “agent” or “service” which runs all the time, even if you don’t know you’re running it.
  • Agents or services which run on  your system slow your system down.
  • Ergo, your admin rights slowed down your system.

If I still haven’t impressed upon you that this is bad, (intentionally) installing unneeded software programs can also slow down your system. Before you install  anything on your system first ask yourself

  • Do I need this program installed?
  • Do I know all of the ramifications installing it?
  • Isn’t my system slow enough already?
Sometimes clients will ask me “just how do I go about dropping these rights? It sounds tough.
It’s actually quite simple. Make a standard, non-administrator account, and use it every day. Make a separate, administrator account, and use it only when absolutely necessary to install software. As an example, you would do your normal web surfing, email-checking, and word processing stuff as a normal user. But when it comes time to install the latest Firefox update, or software patch, you would log off, log on as the administrator account, install the patch, and log off, and log back on again as a regular user. At first, you may think this sounds like a lot of work, but if you consider that you almost always have to reboot after installing new software anyway, the additional time is negligible.
To be clear, this step will not stop most ransomware from encrypting your files, but I can add a strong level of containment to keep a virus from taking over your whole computer or entire computer network.
If you don’t now how to do this, then you really should talk to your IT provider and ask for their assistance. By restricting yourself from admin rights entirely, and delegate the task of maintaining your system to a competent IT professional, you’re in better hands. Unless your job title officially has a primary function related to information technology administration, you should not be doing this. Use this question as a litmus test: “Would I hire myself to manage someone else’s computer systems?” If the answer is “no,” then why are you trying to manage your own?
If you’d like to hear this article discussed in podcast form, it is available as an episode of the Blurring the Lines Podcast. Or, you can continue reading part two.

Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.