Call: 1300 422 542

Calibre 1 Essential 8 Series: Restrict Administrative Privileges

Calibre 1 Essential 8 Series: Restrict Administrative Privileges

This blog is part of a series of blogs on the essential 8 and how you can implement each in a cost-effective way.

 

Previous Blogs in the Series

Backups

MultiFactor Authentication (MFA) Maturity 1

MultiFactor Authentication (MFA) Maturity 2

MultiFactor Authentication (MFA) Maturity 3

Patch Operating Systems

 

Introduction

Administrator, Root, God – these accounts are all seeing, all knowing and most importantly all power in an ICT Infrastructure.  These are the most highly sought-after accounts by Cyber Criminals and Penetration tested alike.  The unrestricted access that these accounts provide are something of a Golden Ticket and are therefore something that needs to have increased security over a regular user account.

 

The objective of this portion of the essential 8 is many, and a lot of IT staff get a headache just thinking about how to effectively work this into their system.  The upside of this one, is that the cost to implement for earlier maturity levels is simply time. Boiled down into the simplest parts it is:

  • Create a paper trail for Admin access, review and validate regularly.
  • Block admin accounts from accessing the internet.
  • Block sign in of admin accounts on unprivileged systems
  • Logging, Logging, Logging & More Logging (with a splash of monitoring).
  • Just-In-Time Access.

 

Paper & People Process

This one is simply principle of least privilege put into play.  At maturity 1 and above when additional access is granted to someone, it needs to be requested in writing (Ticketing Systems are perfect for this) – Access to the system signed off by their manager confirming their “need-to-know”.  And then actioned by the support team.  This should be written into a Privileged Access Policy, and the Procedure should be documented for all stages.

 

At maturity 2, we add in an expiry date on the account so that privileged access to systems and applications is automatically disabled after 12 months.  Adding to this, is that a root account is also on an idle timeout, such that after 45 days of inactivity, it is automatically disabled. This can be facilitated using PowerShell or other tools and set to run on a schedule. Ensure you’re securing those access passwords securely in something like Azure Key Vault!!

 

Local Administrator accounts and Service accounts are unique, and passwords are unique and unpredictable.  Calibre One recommend the use of a LAPS (Local Administrator Password Solution) for administrator accounts and the Managed Service Accounts Windows Security Group for Service accounts, generate a 24 character password for these accounts initially, and then add them to these systems as appropriate.  Set and audit annually!

 

Technical Controls

Privileged accounts are blocked from accessing the internet, email, and web services, using a combination of a Firewall, and Application Whitelisting block these users from accessing the internet directly. Setting a log-on-to policy that prevents administrative accounts from logging into unprivileged workstations, and vice versa.

 

Also ensure a secondary system is required for the privileged users to action the administrative items.  At Maturity 1, this is as simple as having a virtual machine running on their local workstation, at Maturity 2 the Virtual machine must run on privileged infrastructure, like the server hardware, migrating to these requires a little bit of extra resource on the host itself. With that said, Azure Virtual Desktop presents a valuable option for this kind of requirement. This goes for all privileged systems; they can’t be running virtualised on any unprivileged system. The PAYG model from Azure makes it an appealing and cheap offering when looking into testing these extra systems.

 

At Maturity 2 ensure that sysmon64 is set up to log all administrative access, but also any changes to the administrative groups and accounts are also captured in the logs.  At Maturity 3, this will need to be ingested into a SIEM service – Calibre One are happy to assist in setting up and monitoring the SIEM service as part of the ongoing security offering.  Tools like Azure Sentinel, FortiSIEM, Splunk and Elastic are all great examples of this.

 

At Maturity 3 set up Windows Defender Credential Guard and Remote Credential Guard, roll this out via policy.  Set up Role Based Access Control – leading towards the principle of least privilege.  As discussed in the backup section, use specific administrative accounts that are only useful for the 1 purpose.  Finally set up Azure Bastion with Just-In-Time access, these services when paired render the accounts inaccessible and grant temporary access to the accounts on demand.  This concept is both very cool, but also very secure.

 

References

https://azure.microsoft.com/en-au/services/microsoft-sentinel/#overview

https://azure.microsoft.com/en-au/services/azure-bastion/#overview

https://azure.microsoft.com/en-au/updates/just-in-time-virtual-machine-access/

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/local-administrator-password-solution-laps-implementation-hints/ba-p/258296

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009

https://azure.microsoft.com/en-au/services/virtual-desktop/

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

https://www.fortinet.com/products/siem/fortisiem

https://www.splunk.com/en_us/data-insider/what-is-siem.html

https://www.elastic.co/siem/

Share This Post
Subscribe To Our Newsletter
Name*
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

More To Explore

In The Media

2 Great Companies Come Together

A sign of further consolidation in the Australian ICT channel as Brisbane’s Azentro buys Adelaide’s Calibre One. The enlarged group, with combined sales of $A35m

Read More »

Find out what our team can do for your business.

Let us know how we can help

Contact Us
Name*
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.