by Dwayne Stewart
3:30 min read
A compromise of any account is a problem, but it's especially serious when an outsider gains access to an administrative account. An intruder with full control of a device, website or database and can do serious damage. CIS Control #5’s message is to apply strict control to the level of access that end-users have to network resources, ensuring that each user is granted just the necessary access required to perform their job duties.
Doing this can be unpopular among your users and can create feelings of untrustworthiness in those who are refused administrative privileges on their machines. End-users would much rather have the convenience of not having to rely on IT support staff to perform certain actions on their workstations, and some applications seem to require an admin account for no really good reason. Convincing executives that they shouldn't have administrative access can be a tough job.
All staff need to understand the necessity for stringent management of account privileges. It’s important to educate them about the inherent risk of using accounts with elevated privileges for general every-day tasks on their workstations. If an administrative account is hijacked, not only is all the data on the machine compromised, but the machine itself can now be used perform additional attacks on other network devices that it can access. The potential consequences that result from a compromised account are significantly reduced if that account has standard user account privileges.
Limit creation of accounts
Ensure that administrative accounts are only created for those employees that require them to perform administration of the various systems for which they are responsible.
Not all users that perform administrative tasks require administrator accounts or administrative privileges. Many systems have the option to make users members of certain pre-defined roles that allow them to perform certain administrative tasks, but not others; this provides them the required privileges without granting unlimited access. For example, in content management systems such as WordPress, it's straightforward to assign a specific pre-defined or custom role to accounts. Editors can manage content but can't install plugins or create new users. In Active Directory, the necessary rights to network resources can be assigned to domain security groups; domain users can then be assigned to those groups in order to more easily manage user rights throughout the network. Properly managing the level of access users have to both their own workstations and various applications on the network largely eliminates any need to assign administrative rights to those users that are not system managers.
Limit use of accounts
Even those who have administrative accounts shouldn't use them for non-administrative tasks, like checking email or researching an issue on the Internet. A phishing message opened while running as an administrator could have nasty consequences. Have system administrators login to their workstations using standard user accounts. To run applications or execute commands that require elevated privileges, they can use the “runas” feature in Windows, or “sudo” on a Unix or Linux machine. This allows admins to perform their duties without being logged in as an administrator.
Protect the accounts
Strong passwords should be required for all accounts; especially those that are used for system administration. It is imperative that passwords be changed for default accounts on all network devices during the initial configuration. The username should be updated as well, if possible. If that’s not an option, consider creating a new administrative account with a unique username and strong password; follow that up by disabling the default account all-together. If there will be more than one person administering a system or device, an appropriately configured account should be created for each one of them. This establishes accountability for all actions performed on the device.
It’s good practice to use an authentication server, such as TACACS+ or RADIUS, to manage administrative access to network resources that support it. This is an efficient and more secure method of managing both who has access to a network device, as well as the level of access they have on that device.
Another approach is to implement multi-factor authentication (MFA), which requires a combination of two or more types of authentication factors. An authentication factor can be something a user knows (username, password, PIN), something a user has in their possession (key fob, one-time password) or a biological trait of the user (fingerprint, voice, vein patterns). For example, logging into a firewall management interface could require the administrator’s username and password, as well as a temporary code on a security token or a one-time password (OTP) sent to their phone. Each factor provides an additional layer of security, which makes it much more challenging for an attacker to use valid credentials to gain access to a system.
Persuade the users
With Control #5, one of the biggest challenges is increasing the security awareness of the system managers. Convincing them to embrace and follow policies and procedures that help prevent the compromise of their administrative accounts can take time, especially if they are not typically security-focused individuals. While having administrative access is convenient, it significantly increases the potential of a network breach if an account with elevated privileges is somehow compromised. The way to frame the issue is in terms of risk reduction rather than prohibition. System managers need to understand that they're helping to make systems safer, which helps prevent network breaches and the resulting reputation damage and significant financial consequences. If administrators understand this, they may be more likely to accept the additional restrictions applied on their administrative accounts.