ASD Essential Eight – the importance of restricting Administrative Privileges
The ASD Essential Eight cyber mitigation strategies publication  offers up eight of the most critical security controls that can help fend of cyber-attacks. Aside from the cyber hygiene measures of patching application and operating systems, Australian Signals Directorate suggests that restricting the use of administrative privileges can help limiting the extent of incidents since admin accounts provide the keys to the kingdom, and attackers will use these accounts to take control of systems and steal information.
“Admin accounts are the ‘keys to the kingdom’, adversaries use these accounts for full access to information and systems.”
Australian Signals Directorate, 2017
This instalment of our cyber mitigation strategy series looks at the benefits of taking a firm hand with the allocation of administrative privileges and how a more structured approach can significantly elevate your organisation’s security posture.
ASD Essential Eight: Why do you need to restrict Admin Privileges?
Aside from stealing your company secrets and gaining unfettered access to your systems, attackers typically start their operation by targeting your user accounts with administrative privileges. These special accounts always have higher levels of access to your systems than normal use accounts and if they fall into the wrong hands, attackers can do whatever they like: give themselves access to your most secret information, open up ports on your firewall to communicate with external accomplices, eavesdrop on private conversations and cover their tracks by audit logs.
Disrupt Attackers’ Techniques
By minimising the use of administrative privileges, the attackers’ techniques are disrupted since any hijacked account is also restricted to a basic set of privileges. Organisations who have tackled implementing this control have created special administrative accounts for their system managers. These accounts don’t have access to the common tools used by normal users, such as Microsoft Office and email, since these applications can also be used to spread malware inside the organisation. Furthermore, specially restricted administrative accounts often have their Internet access removed altogether, since this reduces the likelihood of malware being able to influence that account from outside the perimeter.
Making Service Management Easier
Reducing and restricting the privileges associated with any given administrator account, to make accounts more functional, based on the job they are designed to allow the human administrator to do, has the bonus of making overall service management easier. There is less of a chance that an administrator making a mistake can significantly harm your business, if their account doesn’t allow them to do things outside of their role – be it maliciously or by accident.
Note: Restricting the number of domain administrator accounts or temporarily making standard user accounts the domain administrator will not fix this issue. These accounts still have the potential to cause significant harm, even if the window of opportunity is reduced.
ASD Essential Eight: What are Privileges?
The concepts of privileges have been around in computing since the beginning. In every operating system you’ll find a distinction between normal user accounts, administrative accounts and often special accounts known as Guest. For the sake of keeping this article focused on security rather than individual implementation approaches, we’ll use the Microsoft operating system family as our reference architecture, but the same principles apply to Mac, Linux, Unix and even mainframe environments.
Privileges provide control
Privileges are used to configure the authority any given account has over the system. They provide enough granular control to allow selected users to perform certain actions, while restricting (by denying the privilege) other users from performing the same task. System privileges allow standard users to do the things they need to do, such as create new files or folders, and they also allow administrators to perform those higher-level tasks such as backing systems up, restoring from backups, changing firewall rules, installing software and interrogating the event log.
Some system privileges allow users to override permissions (access rights to files and folder), thus the account might have the right to backup and restore files to all file servers. These kinds of system privileges take precedence over permissions that deny access to the files for those users, but because the account if a member of the Backup Operators group, they have a privilege that takes precedence over the folder permissions.
Why domain administrators are targets
A few of the system privileges you can assign to users are as follows – most of these are automatically given to the domain administrator, so you can see why it’s a prime target for an attacker:
- Add Workstations to a Domain
- Change the System Time
- Force Shutdown from a Remote System
- Increase Quotas
- Manage Auditing and Security Log
- Take Ownership of Files or Other Object
- Read Unsolicited Data from a Terminal Device
We’ve chosen to list these specific privileges because you can instantly see how much power each affords the user. If an attacker gains access to an account with this level of privilege, the amount of harm they can do is greater.
ASD Essential Eight: Task Based Privilege Management
The best approach to implementing enterprise privilege management is to focus on defining the tasks your administrators do and then assign their privileges accordingly. Security architects often start by identifying the groups of administrative tasks that the organisation undertakes, such as backing up files, resetting password, adding users to groups, provisioning remote access, etc.
Each of these administrative tasks requires a basic set of privileges atop those of a standard user account. Once you know what these privileges are, you can create user accounts for your administration team, then assign only the privileges they need to do their job. That way, your level 1 administrators on the service desk can change passwords and perform some basic diagnosis, but they have not got the privileges to take ownership of a user’s files and folders or remotely take over their workstation.
Top Tip for enterprise Windows environments
When you install an operating system, such as Windows or Linux, a special account, with all privileges assigned, is automatically created. In enterprise Windows environments, the domain administrator account is the account with this god-like right to do everything. Many organisations allow their system administrators to use this account for day-to-day administrator activities. This is an incredibly dangerous approach to administration since not only could this account irreversibly harm your ICT environment, there is no individual accountability of who is using the account at any given time. A recommendation to mitigate this is to reset the domain administrator account to a long and complex password, write it down on a piece of paper and store it in your corporate safe or offsite in a safety deposit box. Limit use to only when it’s needed and afterwards reset it again so that it’s off limits.
ASD Essential Eight: Getting started – who does what in your organisation
There are two primary considerations when mapping administrative privilege use:
- What privileges do the admin guys need to do their job?
- Can account usage be directly tracked to an individual?
Start by determining what administrative roles you need in your organisation. For example, you might only have three engineering roles in your system administration team, as follows (aside from the manager):
- Windows system administrator
- Database administrator
- Service desk analyst
Assign Privileges where they are needed
Clearly, the Windows system administrator will need different privileges to the service desk analysts, who needs different privileges again to the database guy. List the tasks that the service desk analyst will do, such as resetting password, then create separate attributable accounts for these guys with only the privileges they need.
If you have a small administration team, you can assign privileges directly to user accounts, but in a larger service management team, a better approach is to create task-related groups, and assign users into those groups.
Task groups can be as granular as you like, even down to the individual privilege level. This allows you to assign users to multiple groups, in effect aggregating the privileges they need to do their job. You can then consider the requirement of staff taking on new responsibilities to first get trained in the proper use of that privilege.
For more information on securing privileged access in Windows Server 2016 and Microsoft Azure, take a look at https://docs.microsoft.com/en-au/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material.
ASD Essential Eight: Implementation
Privilege management is one of the most effective ways of reducing the impact of a successful attack. If an administrator’s account is successfully targeted by an attacker, the limited privileges will restrict what the attacker has access to, hopefully making it harder for them to successfully steal your information. Furthermore, ensuring your administrative users have individual accounts, attributable to each staff member, means you can track and log exactly what each administrator is doing and audit what they have done, should an investigation ensue.
The importance of protective monitoring
Like all of ASD’s Essential Eight mitigation strategies, the protection afforded by privilege management can be bolstered further by adopting a good approach to protective monitoring. Feeding the events logged by privilege use to your security operations centre allows you to profile the behaviours of your administrative staff, thus helping you detect patterns of misuse, which could directly correlate to indicators of attack or compromise.
Without doubt, privilege access management will help all businesses become more secure, and it doesn’t have to be overly complicated or cause too many administrative headaches during implementation. With careful planning, this can be integrated quickly and efficiently into your enterprise. So don’t wait for an attack to happen, start reducing those administrative privileges today before it is too late.