Even Admins Can't Install: ThreatLocker (EP791)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast. It's going to be just a quick short one here, but even though we're not going to be having a live show this week, I thought I'd get one out before I attended the ASCII EDGE event in Orlando. And the reason that I'm doing this episode is I've had at least three conversations in the past week about the principles of least privilege.

And most of these conversations are with the juniors that I work with. And one of them I'm going to talk about in particular because I had just had a conversation with this junior to remind him of why we put ThreatLocker in place. And for those of you that do not know, in my business, I started using ThreatLocker last year, well, maybe over a year and a half ago, basically to combat certain situations where I had juniors that were raising user privileges to admin status so that they could install stuff and literally bypass not just installing programs, but also some programmatic issues that we had.

In particular, there was one billing program for the legal industry where every so often the UAC would just start popping up for no apparent reason. And instead of fixing the problem, it was just easier to give the user admin rights so that they could do it themselves. And we had to figure out a way to stop that.

So just so that everybody knows, if you're not dealing with the principle of least privilege, it's basically obviously not allowing regular users to have admin rights. But when we went to ThreatLocker, of course, even as an admin, you can't install stuff. So, we had been working this way for at least a year with this client, and I just got another email where the junior was trying to do something with Adobe Acrobat and even wrote in the email, I even made her an administrator.

So, we had to go and have a discussion again. Now, in this particular case, if it was just regular Adobe Acrobat, which was already an approved application, and they should have been able to install that anyway because it was ring-fenced and everything. However, they were trying to do something different, and I don't think it was the regular Adobe program, but the bottom line is ThreatLocker stopped them, and the technician just kept thinking that for some reason, if he just made the person an admin, he'd do it.

And so, we had to have that conversation, and it was just a weird conversation to try to explain to them what the concept of no trust meant, meaning that even as an administrator, if we don't know the program, it's not going to install. And that's just the way it is based on all of the cyber threats that are out there now. And we even had to talk about one of the things that I found out I liked about ThreatLocker was that it would stop web browser extensions from installing.

And in particular, this same client, we had a situation, well, we had two situations. One, the owner was upset when he found out that people were doing so much shopping while they were at work. And the reason we found that out is as we were going through and evaluating some of the things that had been blocked by ThreatLocker, one of the things we found was the Google extension for Honey, the program that will go out and find you the best prices on stuff.

And that was one of the things that they were like, good, we don't want them to install those things. So that was the first thing. But the second thing, and this was we had to remind them of a situation that had happened in the past before we had ThreatLocker, before we had any sort of, you know, things in place.

One of the secretaries was actually double dipping while they were in the office. This was not a situation where, like in a lot of cases since the year of our COVID, where people are working remotely and working two jobs because who's going to monitor them while they're at home? This was an employee that was in the office that had downloaded and installed a separate case management program that they were running, in a sense, their own legal office out of this physical office of the client. And it had gone on for probably a month or two, maybe two, I think.

And the way that they found out was they had found a letter that had gone out with this person's name as the representing attorney, but a different firm name on the letterhead. They asked me to do some digging. So I went into our inventory software for that computer and said, oh, yeah, here's a couple of other software that are not yours.

And of course, they were like, well, how can they install this? And I said, well, Junior made them an admin or Junior installed it for them. That's really the only way that it could happen. And that's when we actually started being able to do all the things with no trust, like installing ThreatLocker.

And I think, oh, yes, this was the one I remember. So years ago, I had started using group policy to actually scan and remove users from the local administrators group. So there is a setting in group policy.

And I'm not prepared, but I know it's one of the OUs that you can go in and local users and groups and the control panels or something, and it'll basically remove regular users from the admins group. But then there is a second thing called restricted groups. And this is where Junior had actually taken the time to do the research and find out that if you put a user in the restricted groups, then they would not be removed from the local admin and they would be treated as such.

And that's when I'm like, OK, we got to go a little bit above and beyond that. And the reason that that was an issue for me. So doing the group policy, one of the things that I found out, and again, this is years ago, you could set that policy to remove local admins.

However, group policy doesn't always, you know, it's not a real time scan. There are times where group policy could refresh as much as 90 minutes. So juniors were realizing that they could temporarily put somebody in the local admins group, let them take care of whatever they needed to take care of before the next group policy refreshed.

And so that defeated the whole purpose of what we were trying to do. So that was the workaround that I had to stop. And so ThreatLocker was, at least in my opinion, one of the things that really made it stand out.

Now, there are other products in our industry, you know, CyberFOX, CyberArk, you know, a lot of these programs that are doing the privileged access management, they all do this to some degree. But ThreatLocker was the one that I came across because it was literally a zero trust from the start so that, yes, even legitimate programs got blocked if they weren't approved or if they weren't learned in the environment. So that was what had happened in the past.

I had to remind them of that. And then we talked about, you know, these last couple of incidents where this is the reason that people cannot install stuff in the environment. And of course, I had to remind them, even myself, if I were to go in and try to install a brand new program unknown to us, I'm going to get blocked.

And that's the way we want it based on the cyber posture that this firm has said that they're going to take and, you know, to protect themselves. And I think hopefully I've gotten through. But I did ask a couple of people, you know, if there was a way that they had talked to their clients about, you know, on explaining this in a better manner.

So if you are listening to this and you have, you know, maybe a, you know, email template or some sort of pictographic that you're using to explain to users, you know, why we're not allowing people to just install what they want. I went to try to look back and find some of my old stuff. But of course, that was old.

We're talking, you know, I remember having this conversation with this customer, you know, 2010, 2012, because I had to, and the reason I know that's because I went back and found one of the emails that I kept specifically for this reason. But I need to update, obviously, some literature to send out to clients. So if you have something that you guys send out that is worded really nicely, crafted really nicely, I went out to, you know, the AI and asked, and I'm not quite sure I like the way any of those are worded.

They just, you know, they're technical. I want this to be something that is really understandable by end users. So that's it.

Just a thought in my head that I wanted to get out before I headed up to Orlando, ASCII. And if you're in Orlando and you're at the event, we'll see you there. If not, I'll see you soon.

But that's it. Talk to you later. And until next time, holla.