Don’t Let OneDrive Mess up
your Vulnerability Scan! – WST

Are your employees using administrator level accounts for general daily activities? If so, your institution is quite vulnerable to malware and other targeted attacks.

No daily user accounts should ever have administrative rights to their local workstations. Full stop. You may have software that a vendor says, “it needs admin-rights to work,” but the simple fact is that there are so many workarounds for this problem in modern operating systems there just isn’t any excuse anymore. It should also be noted that Microsoft has considered requiring users have local administrative access to run software to be a serious bug for over 10 years.

Network and system administrators should not have their daily account in a privileged group such as local or domain administrators. Instead, admins should have separate accounts that they use to elevate their privileges when needed. When using email, researching problems, or working on a helpdesk ticket, elevated privileges are not needed and can be dangerous if the admin accidentally hits a malicious ad or site while researching issues. If an admin account is compromised, the bad actor will have full access to all systems and data. While it may add extra steps when performing admin related activities, utilizing a separate admin account makes the environment significantly more secure.

Recently, many of our clients have had significant increases in the number of vulnerabilities found during their Internal Vulnerability Scans. One of the primary reasons for this is Microsoft OneDrive, and the way it installs on workstations by default.

The way most environments install OneDrive, the application will install to the user’s local AppData folder (%localappdata%). While convenient, this means that each user basically installs their own copy of OneDrive, leading to multiple instances of the application on each system. The problem becomes evident when vulnerabilities are present in the version of the app. You can wind up with the same vulnerability, in multiple users’ profile folders. Even worse, you need to patch each profile individually to bring them all up to date…not an ideal solution!

Microsoft recently released guidance on installing the OneDrive app at the machine level, which eliminates the need for OneDrive executables in each user profile folder, greatly simplifying your patching process. Per Microsoft, running OneDriveSetup.exe with the “/allusers” switch, will install OneDrive to the Program Files folder, accessible by all users. As a bonus, this process also reportedly removes all of the per-user installs, killing two birds with one stone. (Your mileage may vary, as with all changes, make sure you test this on non-critical systems first!)

More information can be found at: https://docs.microsoft.com/en-us/onedrive/per-machine-installation