Analecta Cyber Company Blog: Implementing Secure Administrator Best Practices: Using the Principle of Least Privilege

2018-03-27

Implementing Secure Administrator Best Practices: Using the Principle of Least Privilege

Privileged account credentials for local, root, superuser and domain administrator accounts are the Achilles’ heel for any information-based business. A deployment of defenses can be quickly destroyed if these critical accounts are compromised by a malicious network attack or hackers determined to wreak havoc.

Managing and hardening administrator account privileges to minimize risk


Hardening systems is an ideal way to limit the risk of privileged-account compromises and can reduce the vulnerability of these special accounts. A leading best practice to achieve these goals is to implement the Principle of Least Privilege (PoLP). Simply put, for administrators that have logged in with their non-admin user credentials (e.g., jane.doe@company.com) to do normal, user tasks, they then use higher credentials (e.g., jane.doe.admin@company.com) for accessing the ability to perform administrative functions. At no time should admins be directly logging in to any system with the administration user credentials.

This form of dual authentication helps to minimize the amount of time that a superuser or root administration credentials are live and vulnerable. In a 2017 Microsoft Vulnerabilities Report (see full report link below), removing improperly assigned administrative privileges could have mitigated nearly 90% of all critical vulnerabilities during a 5-year period between 2013 and 2017.

Privileged accounts - the Attack Surface


Compromising the different levels of account types can have varying impacts. A single-user or local user account compromise is a best-case scenario as it will only impact owner files or services to which they have access.

If an administrator account is compromised, it should be realized that any information the account has access to now also has the potential of being compromised. A local administrator account compromise can impact any aspect of the system, including user files, encryption settings and local user accounts and settings, but it is still limited on a system level, not an entire domain.

Unfortunately, once domain administrator credentials are subverted, typically 100% of the business information system is considered “compromised” and the road back to a secured and trustworthy information system can take years to complete.

Understanding why achieving least privilege for your company’s admins is of critical concern, but where to start? A policy of least-credentialed administrative access is a best practice that can be implemented with a little forethought and some careful planning. As covered in other blog posts in this series, the National Institute of Standards and Technology (NIST) has a recommended set of guidelines with high-level steps towards limiting privileged account use and thus, reducing risk. Their recommendations include the following:
  1. Developing policies and identifying accounts that should be modified or changed.
  2. Issuing accounts to transition to a least-credentialed approach.
  3. Updating system and domain settings to reduce risks from compromised credentials.
  4. Auditing privileged credential use and conducting follow-up training to ensure compliance .

Developing policies and identifying accounts


If you have policies in place for how information systems and accounts should be administered, you will want to ensure they cover (or are amended to address) a least privilege policy for privileged accounts. Typically this means that users will be prohibited from using privileged accounts as their primary user account and should have a standard user account they use for all access to information systems. Privileged user account credentials should only be used when necessary to administer or make changes to the systems.

Review accounts that your IT security staff are currently using for their daily activities. This can be as simple as asking your administrators to lock their system or identify the username of the account in the “logoff” start-menu item. Some potential results of this quick audit are:
Person logged in as...Has admin credentials?Threat Level
AdministratorYesDANGEROUS
RootYesDANGEROUS
First.lastYesDANGEROUS
First.lastNoLOW
After collecting the IT administration team user logins, review the users within the domain administrators groups (for Windows) and /etc/sudoers user (profiles) group (for Linux/Unix). Any individual user accounts that match user accounts used by the IT administrators should be documented for resolution once you’ve started implementing your privileged access approach.

Re-issue user accounts

 

If your administrators are using privileged built-in accounts like Administrator and root, issue new accounts for these users following your standard naming conventions, minimum password complexity and rotation schedule.

If your administrators are using a user account that has been added to the administrator group, you should assign a new username or retire the previously used accounts. If you’re retiring accounts, you will want to ensure that you have access to at least one administrative account during the transition - otherwise you may inadvertently remove all ability to administer the entire information system.

Only standard user accounts should remain after a policy change. You will need to create additional administrative user accounts that can be used to increase privileges on a case-by-case basis to complete administrative tasks.
The Principle of Least Privilege helps to minimize risk by requiring users to login to company systems with their local accounts first (green), then use secondary authentication credentials to access administrator privileges (red keys). The concept is similarly implemented for those employees who need administrative privileges on special business applications (yellow keys).

Update system and domain settings to reduce risks from compromised credentials


You can deploy domain-wide settings through Group Policy Objects (GPOs) to reduce risks to systems from privileged accounts. Some GPO settings will modify system-level settings to prohibit network-based login to information systems and restrict automated scripts and processes from using elevated credential accounts.

Similarly, on Linux/Unix systems, there are many configuration changes that can be made that will reduce the impact of compromised root credentials. Using the sudo privilege escalation tool and ensuring the root user is not able to log in directly at a terminal or over ssh are some of the first steps you should take.

For more detailed implementation recommendations you will want to seek further guidance for your specific situation. Also, be sure to check out the Microsoft and RedHat implementation guides listed below. They are a great place to begin to understand the different settings you may want to consider reviewing or updating for your company system.

Following up 


After the reduction of privileges, it is best practice to follow up with a user account log audit at about the 30-day mark. At this point you can assess whether privileged users are using credentials in accordance with the new policies/procedures.

To perform an audit of privileged accounts, you will want to use the system logging facilities for Windows or Linux/Unix systems and filter the logs to show you which credentialed accounts were used for login since the time the policy was enacted and the transition to a least privileged account setup was completed.
  • For your Windows systems, review the Security logs in Event Viewer for logon by Administrator (the default privileged account) or other users in the administration groups.
  • On a Linux/Unix system, review entries from /var/log/auth.log and /var/log/secure. Likewise, /var/log/faillog may contain administrators attempting to login with the root user account.

Take any positive findings from your audit and provide follow-up training and continue to reinforce the importance of least privilege for those with continued administrator-level access.

How Analecta is sharing the message of cyber responsibility


Analecta Cyber brings decades of expertise implementing secure information systems based on the NIST Cybersecurity Framework. Using a holistic approach and industry-standard guidelines, the Analecta Cyber Risk Assessment enables you to see how to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. A 96-point assessment identifies the most important next steps in your firm’s cybersecurity program to maximize protection.

Security is not meant to take place in a bubble. If you are looking for expert advice on implementing a cybersecurity program for your company, or need advice on where to begin, email us at info@analecta-llc.com. We are here to help!

Further Resources

  1. Unix Implementation Guides
  2. Microsoft Vulnerabilities Report 2017 Executive Summary
  3. Microsoft’s Implementation Guides:
Securing Built-In Administrator Accounts in Active Directory
Securing Enterprise Admins Groups in Active Directory
Securing Domain Admins Groups in Active Directory
Securing Administrators Groups in Active Directory