Security Basics -- Privileged Account Management

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here.

Account management is a basic security function, but not all accounts are created equal. Generally, any network or system has a few key accounts that have privileges or capabilities beyond those of "regular" users accounts. Administrative functions must be performed, and it is unavoidable that accounts and credentials for this purpose must exist. However, if these privileges are abused, the potential for destruction or loss is enormous.

Administrative privileges can be abused by an insider who has rightful access to the account(s) in question, or the credentials may be compromised and used by a malicious outside attacker. Stealing or otherwise obtaining administrative credentials is one of the top objectives of any hacker upon gaining initial access to a system, because these will allow them to deepen and broaden their ability to explore and compromise the system and its data. How can your organization manage these risks?

The key to the answer is that administrative accounts should be limited in as many ways as possible so that they are only used for their intended purposes, on the intended machines, and at the intended times. Administrative actions and accounts should then be flagged for additional auditing and attention during regular security monitoring.

  • "Regular" users should never have "local admin" privileges on their own workstations or laptops. This is perhaps the single most important step an organization can take to improve their security posture. For the past several years, the majority of Microsoft's vulnerability announcements have included this statement at the end: "Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights." The same is true of most client-side vulnerabilities -- the damage is significantly limited when the exploited user is not an administrator.

  • Users who have administrative duties should have separate accounts for this purpose, which are used only and specifically to perform those duties. Of course, these accounts should have different passwords than their "regular" accounts. An excellent step to consider would be to implement two-factor authentication for administrative accounts.

  • Administrative accounts should be configured to have no access to email or to the web. When performing administrative functions, it is rarely necessary to do either of these things. If you can't read email, you can't access a phishing email. And if you can't access the web, a very large portion of such attacks will fail anyway as malware downloads and command-and-control will fail.

  • Don't allow the "logon locally" right for privileged accounts on most or all computers in the domain. Administrative functions are often best undertaken through the use of the "run as" command (on Windows) or "sudo" (on Unix/Linux)

  • Apply specific and more detailed auditing settings to key privilege use scenarios, such as account creation and modification. It goes without saying that you must also ensure that the logs generated are secure from tampering or deletion by the same privileged users whom you are auditing.

References:
https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_ControlAdministrativePrivileges_Web.pdf
http://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-monitoring-privileged-user-actions-security-compliance-34890
https://technet.microsoft.com/en-us/library/Cc784501(v=WS.10).aspx

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more