Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The ASD Essential Eight cyber mitigation strategies publication  offers up eight of the most critical security controls that can help fend of cyber-attacks. Aside from the cyber hygiene measures of patching application and operating systems, Australian Signals Directorate suggests that restricting the use of administrative privileges can help limiting the extent of incidents since admin accounts provide the keys to the kingdom, and attackers will use these accounts to take control of systems and steal information.
Australian Signals Directorate, 2017
This instalment of our cyber mitigation strategy series looks at the benefits of taking a firm hand with the allocation of administrative privileges and how a more structured approach can significantly elevate your organisation’s security posture.
Aside from stealing your company secrets and gaining unfettered access to your systems, attackers typically start their operation by targeting your user accounts with administrative privileges. These special accounts always have higher levels of access to your systems than normal use accounts and if they fall into the wrong hands, attackers can do whatever they like: give themselves access to your most secret information, open up ports on your firewall to communicate with external accomplices, eavesdrop on private conversations and cover their tracks by audit logs.
By minimising the use of administrative privileges, the attackers’ techniques are disrupted since any hijacked account is also restricted to a basic set of privileges. Organisations who have tackled implementing this control have created special administrative accounts for their system managers. These accounts don’t have access to the common tools used by normal users, such as Microsoft Office and email, since these applications can also be used to spread malware inside the organisation. Furthermore, specially restricted administrative accounts often have their Internet access removed altogether, since this reduces the likelihood of malware being able to influence that account from outside the perimeter.
Reducing and restricting the privileges associated with any given administrator account, to make accounts more functional, based on the job they are designed to allow the human administrator to do, has the bonus of making overall service management easier. There is less of a chance that an administrator making a mistake can significantly harm your business, if their account doesn’t allow them to do things outside of their role – be it maliciously or by accident.
Note: Restricting the number of domain administrator accounts or temporarily making standard user accounts the domain administrator will not fix this issue. These accounts still have the potential to cause significant harm, even if the window of opportunity is reduced.
The concepts of privileges have been around in computing since the beginning. In every operating system you’ll find a distinction between normal user accounts, administrative accounts and often special accounts known as Guest. For the sake of keeping this article focused on security rather than individual implementation approaches, we’ll use the Microsoft operating system family as our reference architecture, but the same principles apply to Mac, Linux, Unix and even mainframe environments.
Privileges are used to configure the authority any given account has over the system. They provide enough granular control to allow selected users to perform certain actions, while restricting (by denying the privilege) other users from performing the same task. System privileges allow standard users to do the things they need to do, such as create new files or folders, and they also allow administrators to perform those higher-level tasks such as backing systems up, restoring from backups, changing firewall rules, installing software and interrogating the event log.
Some system privileges allow users to override permissions (access rights to files and folder), thus the account might have the right to backup and restore files to all file servers. These kinds of system privileges take precedence over permissions that deny access to the files for those users, but because the account if a member of the Backup Operators group, they have a privilege that takes precedence over the folder permissions.
A few of the system privileges you can assign to users are as follows – most of these are automatically given to the domain administrator, so you can see why it’s a prime target for an attacker:
We’ve chosen to list these specific privileges because you can instantly see how much power each affords the user. If an attacker gains access to an account with this level of privilege, the amount of harm they can do is greater.
The best approach to implementing enterprise privilege management is to focus on defining the tasks your administrators do and then assign their privileges accordingly. Security architects often start by identifying the groups of administrative tasks that the organisation undertakes, such as backing up files, resetting password, adding users to groups, provisioning remote access, etc.
Each of these administrative tasks requires a basic set of privileges atop those of a standard user account. Once you know what these privileges are, you can create user accounts for your administration team, then assign only the privileges they need to do their job. That way, your level 1 administrators on the service desk can change passwords and perform some basic diagnosis, but they have not got the privileges to take ownership of a user’s files and folders or remotely take over their workstation.
When you install an operating system, such as Windows or Linux, a special account, with all privileges assigned, is automatically created. In enterprise Windows environments, the domain administrator account is the account with this god-like right to do everything. Many organisations allow their system administrators to use this account for day-to-day administrator activities. This is an incredibly dangerous approach to administration since not only could this account irreversibly harm your ICT environment, there is no individual accountability of who is using the account at any given time. A recommendation to mitigate this is to reset the domain administrator account to a long and complex password, write it down on a piece of paper and store it in your corporate safe or offsite in a safety deposit box. Limit use to only when it’s needed and afterwards reset it again so that it’s off limits.
There are two primary considerations when mapping administrative privilege use:
Start by determining what administrative roles you need in your organisation. For example, you might only have three engineering roles in your system administration team, as follows (aside from the manager):
Clearly, the Windows system administrator will need different privileges to the service desk analysts, who needs different privileges again to the database guy. List the tasks that the service desk analyst will do, such as resetting password, then create separate attributable accounts for these guys with only the privileges they need.
If you have a small administration team, you can assign privileges directly to user accounts, but in a larger service management team, a better approach is to create task-related groups, and assign users into those groups.
Task groups can be as granular as you like, even down to the individual privilege level. This allows you to assign users to multiple groups, in effect aggregating the privileges they need to do their job. You can then consider the requirement of staff taking on new responsibilities to first get trained in the proper use of that privilege.
For more information on securing privileged access in Windows Server 2016 and Microsoft Azure, take a look at https://docs.microsoft.com/en-au/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material.
Privilege management is one of the most effective ways of reducing the impact of a successful attack. If an administrator’s account is successfully targeted by an attacker, the limited privileges will restrict what the attacker has access to, hopefully making it harder for them to successfully steal your information. Furthermore, ensuring your administrative users have individual accounts, attributable to each staff member, means you can track and log exactly what each administrator is doing and audit what they have done, should an investigation ensue.
Like all of ASD’s Essential Eight mitigation strategies, the protection afforded by privilege management can be bolstered further by adopting a good approach to protective monitoring. Feeding the events logged by privilege use to your security operations centre allows you to profile the behaviours of your administrative staff, thus helping you detect patterns of misuse, which could directly correlate to indicators of attack or compromise.
Without doubt, privilege access management will help all businesses become more secure, and it doesn’t have to be overly complicated or cause too many administrative headaches during implementation. With careful planning, this can be integrated quickly and efficiently into your enterprise. So don’t wait for an attack to happen, start reducing those administrative privileges today before it is too late.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.