21
January 2022
AutoCAD and Local Admin Accounts - reducing risk
Andy Harris
Removing the risk of local admin without impacting AutoCAD users
In any organisation, there is a wide range of users. SysAdmins, DevOps, SecOps, and NetOps teams are right at the top of the list needing administrative rights to manage their workstation environments.
But if you're in an architectural or product design business, your design department will be a close second. Most of those teams depend on Autodesk AutoCAD for their work - it's the most powerful design tool and has a vast ecosystem of add-ins for specialist tasks. Often, several specialists may work on a product line or building design. For example, those working on HVAC will need mechanical, plumbing and electrical design, and these all have their own regulations and standards and stress and flow analysis. Another team will be responsible for quantity surveying, where teams will need to know how much of what materials are required for each stage of the project.
AutoCAD has a whole marketplace of add-in applications that meet all these specialist requirements and more - for example, scaffold estimation for building designs etc.
Many components are bought in from suppliers who provide online libraries that can be used for both drawings and add-in applications. For example, component metadata will include weight and flow capacities which add-ins can use to prove design parameters.
This means that AutoCAD users effectively manage a complex environment that needs to communicate with the internet, local databases, other users' drawings and more. The result is that
most of them have acquired Local Administrator Rights to install the software.
This is an ideal opportunity for ransomware attackers and a nightmare scenario for IT cybersecurity. These are essentially the perfect conditions for malware to take hold.
Testing A Typical AutoCAD Scenario
To test the situation, we created a typical AutoCAD user environment. As is common with AutoCAD, we installed several plug-ins. To complete the install, the user had local admin rights. We then removed those rights and installed our Privileged Endpoint Management (PEM) product.
Each time our user needed to make changes to AutoCAD, we asked them to use 'Run as Administrator using PEM'. PEM was running in its "Learning Mode", so installing add-ins created elevation requests in PEM we could examine. We found AutoCAD itself needs administrator rights to install the add-ins. Interestingly, some add-ins need a workstation reboot to complete their installation, so the admin rights are also required following the reboot.
Once running, AutoCAD has an 'in-app' Application Manager that lists add-ins and their upgrade status. The App Manager can kick off an upgrade or uninstall, and these separate processes need to run with elevated privileges.
So, now we know where local admin rights are needed in AutoCAD and can create an environment where those rights weren't needed, and we can be sure that only valid and trusted add-ins would be installed.
Removing the Local Admin Risk with AutoCAD
We created a READONLY 'Kits' directory to store known "good" (i.e. clean, not infected) versions of the add-ins. From here, we could define a PEM policy that allows our user to elevate privileges for processes that involve these kits. Finally, allowing AutoCAD to be run with elevated privileges means that the App Manager can perform updates and uninstalls.
It certainly feels like we've walked a mile or five in the shoes of our customer's users, but we found clean solutions and an insight into what design and drafting departments need to deliver.
The principles of what we achieved with AutoCAD will apply in many complex applications. For example, in a previous blog, we looked at managing Visual Studio and its plug-ins without admin rights.
You can find out about PEM here.
Please get in touch if you'd like to know more or see how PEM can help you.