Hi everyone, and welcome to this week’s episode of Eight Weeks of the Essential Eight. In this episode we’ll be exploring administrative privileges and why restricting these privileges is vital in protecting your business against cyber-attacks.
The ACSC defines this strategy as: restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
This strategy is probably the most self-explanatory of the eight, and at a base level, you probably already have some form of admin restrictions in place.
Now you wouldn’t just give the keys to your home to anyone right? Because the more people who have your keys, the more likely it is someone will lose them or leave the house unlocked, which literally leaves the door open for people with ill intent.
Administrative accounts are the keys to your network, data, and systems.
If cyber attackers gain access to these proverbial keys, they can wreak havoc across your network and servers. Attackers use malware and brute force attacks to compromise admin accounts because they are the most powerful in your organisation. As you probably know, users with administrative privileges can make significant changes to their configuration and operation, they can bypass security settings, and they usually have access to sensitive info.
If an adversary succeeds in claiming an admin account through brute force or malware, they can spread malicious code to your entire network, they can avoid detection, access sensitive data, and they can completely resist all efforts of removal.
Referring again to the house keys analogy, you’ve now got a dangerous squatter in your home who is refusing to leave, rifling through your personal belongings, and possibly demanding money. Not an ideal situation you want to be in.
Unfortunately, the solution isn’t as easy as you may think.
First, lets discuss the principle of ‘least privilege’.
The Principle of Least Privilege
In a least privileged environment, most of your users are operating with non-privileged accounts 90-100% of the time. A non-privileged account is a ‘standard user account’, which has a limited set of privileges like web browsing, opening emails, using Office applications, or accessing limited resources or apps that are defined by their role in your organisation.
When you set up a least privilege environment, you review the activities your administrators do and only assign the privileges they absolutely need to complete their jobs.
For instance, a standard user account does not need to install applications, so you should remove those privileges, or someone who only needs access to a database does not need the ability to take backups, and so on. By sharing and assigning certain privileges only to those who need them, you reduce the freedom an adversary may have if they compromise an account.
I promise this will be the last house keys analogy, but basically operating in a least privilege environment means if an attacker gets access to one of your keys they may be able to unlock your gate, but they won’t have the key to open your front door.
So where do you start?
Before you implement the requirements that are outlined in Maturity Level One, you need an inventory or a record of your admin accounts and your organisation’s admin tasks.
How to create a secure admin privileges record:
Every account on your network, and that includes standard user accounts, needs to be checked for their privileges. Users who do not need those privileges should be stripped of them.
Identify the admin tasks your organisation undertakes, like backing up files, resetting passwords, or adding users to new groups.
Each admin task requires only a basic set of privileges, so once you’re armed with a list of your organisations admin tasks you can then create user accounts for your team members and assign ONLY the privileges they need to perform their jobs.
Once you’ve inventoried and set up a record of your admin accounts and privileges, you can move on to implementing the requirements for Maturity Level One.
Maturity Level One Requirements
Requirement 1: Requests for privileged access to systems and applications are validated when first requested
So you’ve determined and documented the privileges for your user accounts, but what happens when you get new users, or the scope of work for one of your current admin users changes?
Anyone who requests certain privileges and has not been previously approved must be evaluated before receiving approval in order to align with this requirement. Do they need administrative privileges? And if so, which privileges do they need? Once this has been evaluated, you can then choose to give those privileges to them.
Remember to document the validated request and add it to your inventory so you can keep track of the allowed privileges.
Requirement 2: Privileged users use separate privileged and unprivileged operating environments
Malware is usually executed through successful phishing attempts, drive-by downloads, or even malware ads on the internet. What this requirement is saying is that users who need admin privileges should have two accounts; one that has privileged access, and one without. That’s so they can use their admin account solely for the tasks that need privileged access, and then use their standard user account for things like web browsing, or checking emails, and opening documents.
Requirement 3: Privileged accounts (excluding privileged service accounts) are prevented from accessing internet, email, and web services
For the same reason as the previous requirement, to completely remove the chances of malware executing on your privileged accounts, you need to set security controls that stop them from reading emails and browsing the web when they are using the admin account.
Requirement 4: Unprivileged accounts cannot logon to privileged operating environments
You shouldn’t log into a system with a user account that has the ability to install new software or make changes to the system. If you go to a website or click on a link in an email that has malware, the malicious software can only run with the privileges of the logged in user account. If that account isn’t an administrator, the malware can’t do much harm.
You should also make sure all default passwords and usernames for admin accounts are updated, and apply multifactor authentication to ensure that even if an adversary gains access to your passwords they won’t be able to get past the second authentication method.
Monitoring Privileged Access Controls
Finally, let’s discuss monitoring and auditing privileged access controls. You should be revalidating all accounts that have privileged access on a yearly basis, or when someone with admin privileges leaves your business.
Your secure inventory/record should include the following information:
- Users who are authorised to access privileged accounts
- The person who provided authorisation for those privileges
- When the privileges were granted
- What privileges were granted
- When privileges were last reviewed
- When the level of privileged access was changed, and to what extent (if applicable)
- When privileged access was withdrawn (if applicable)
Alternatively, you can request the services of an outsourced IT company to assist with auditing your admin accounts and privileges and managing your inventory. A managed service provider can monitor every privileged task that is undertaken on your system, set up or remove admin privileges, revalidate restrictions, and apply policies to your standard user accounts.
And that’s it for restricting admin privileges! Stay tuned for the next episode, where we’ll be discussing application control. If you have any questions about this video please feel free to shoot through an email, and I’ll see you in the next episode.