Open Mobile Menu

Blog

Locking Down Privileged Access

Views: 2332

Written By: Ryan Hogan December 17, 2016

We run into a lot of questions regarding access control and user management, and the use of local administrator accounts is a pretty important consideration for all organizations.  Many companies have a user base accustomed to convenience over security and permit the use of local administrator accounts for some (or all!) users.   There are obviously some problems with a permissive approach to user management, especially in the current malware/ransomware landscape: when users have local admin rights they can potentially:

  • Install improperly licensed software
  • Deactivate IT protections (Casper, Anti-virus, KACE Agent, etc.) and infect their computer with Malware or;
  • Take other risky actions that lead to a data breach (such as disabling local firewall protection, changing security settings, and disabling logging and alerting systems, to name a few).

Some users legitimately need these rights to effectively and efficiently do their jobs, so what can an organization do to tackle this problem

Typically, the first step is to determine why users need Administrative privileges and eliminate the needs if possible. For example, if some users need Admin Rights to install software for business purposes then IT can create an online software catalog that installs requested (and approved) software over the network, using a service account without direct end user action. Or if a user needs access to install print drivers, then the organization can implement a secure printing server.

A software catalog tool allows IT to ensure the software is properly licensed and comes from a trustworthy source. Be advised, this is typically a long project that involves determining needed software, vetting vendors, and managing licenses (and may require some diplomacy and justification to management from IT if the organization has a more permissive culture). The best way to tackle it is to start with the “easy” users that have little need (or interest) in using administrator rights, since they would rather have IT do everything for them anyways. These users’ software needs tend to be pretty static and predictable, and once IT has the processes developed for managing these users, IT can then proceed to address more difficult use cases. Good communication, end user education on how to use the software catalog, an Acceptable Use policy, and executive support are essential for success. A couple of Software catalog tools to consider are:

A secure printing solution allows IT to ensure that users can print to whatever printer will meet their needs without needing Admin Rights to install print drivers and has the added benefit of reducing waste and eliminating hard copies of sensitive information that are lost or forgotten on a printer tray. Most users just want to be able to print when they need to and it may actually end up being a more positive user experience for them, since they don’t have to wait for a 400 page document that someone else is printing, or figure out which print driver to install for a particular floor or location. A couple of Secure printing tools to consider are:

  • Xerox Mobile Print Cloud based solution for secure pull printing including from mobile devices. Can use ID badge or PIN. Does not require Xerox printers.
  • Pharos SR25  
    • Pros: Can attach hardware to any printer; users can print at any printer by just identifying themselves (no adding drivers)
    • Cons:  Unclear if it works with cloud based server. Requires users to have ID cards.
  • HP JetAdvantage Private Print
    •  Pros: Cloud based solution for secure pull printing including from mobile devices. Can use ID badge or PIN. Also have HP Managed Print Services. SHI has managed print specialist
    •  Cons:  Requires HP printers or MFPs.
  • Uniprint Infinity
    • Pros: Cloud based, can also be used with mobile devices. Can work with any make/model of printer
    • Cons:  Requires a hosted print server

But what else can be done, especially for those users that may NEVER get admin removed because they have unpredictable software installation needs, or have to be able to turn off things like Anti-virus because they do development work? In these cases, there are three strategies to follow: prevent, detect, respond.

Prevent

  • Endpoint-based web filtering should be used to prevent users from being compromised by sites that intentionally or unintentionally serve up malware and/or block connections to command and control servers. A few examples include:
    • Sophos Cloud/ Central:
      • Pros: Well ranked for ease of use; additional components (AV, DLP, secure email, whitelisting, patching) can be added.
      • Cons:  Integration with other components is still pretty new.
    • Zscaler "Web Premium Suite ":
      • Pros: Cloud based proxies in over 30 countries. Leader in secure web gateways. Can also be used on mobile devices. Some DLP capability. 30 day money back guarantee. Deployment service.
      • Cons:  PAC files can be evaded by users with Admin; AD required to push out the PAC file & SSL cert via GPO.
    • Websense:
      • Pros: Good integration with MDM; includes DLP.
      • Cons:  Cloud offering is newer.
  • Configure UAC to “Notify only when programs try to make change to the computer” or “Notify only when programs try to make change to the computer  (without secure desktop)” using GPOs to prevent the installation of malware. Users may still override things until the GPO resets them, so you may need to educate them that paying attention to the notice can prevent malware and productivity issues.
  • Provide two accounts for users to use, one with regular user privileges and another giving access to the Local Administrator account. Users should use the regular account for most activity and only switch user to local admin when they need to do something. Warning: most users will lazily use the Local Admin account all the time, so this is only worth pursuing if your organization is willing to enforce use of the unprivileged account through monitoring and auditing usage of the local admin account. Also, many organizations give the Local Administrator the same password across computers, so you would need to have a password vault solution to ensure each machine has a different local admin password to prevent users from going into other people’s machines.  
  • Laptop whole disk encryption: can ensure that those users with Admin Rights that have sensitive data (i.e. Source code, production data, etc.) have the data encrypted at rest so if the device is lost or stolen you can typically avoid notification requirements.  Products to consider are:
    • Bitlocker/ FileVault /Airwatch
      • Pros: No licensing costs, native OS functionality used. Can centrally administer and recover encrypted hard drives if software deployed through Airwatch.
      • Cons:  Will need Airwatch or an MBAM IIS Web server and SQL Database (standard, enterprise, or datacenter) server to deploy. Requires Windows 8 Enterprise/Pro or higher edition. Will need separate software to manage Mac encryption (i.e.  Airwatch, Filewave, Centrify)
    • Sophos "SafeGuard Encryption" (Utimaco) 
      • Pros: Single console for all encryption OSX & Windows, Smartphones, tablets. Fast encryption, low impact on performance. Can also be used on mobile devices and USBs.
      • Cons:  not native to OS, licensed software.
    • Symantec PGP
      • Pros: Single console for all encryption OSX & Windows, Smartphones, tablets. Fast encryption, low impact on performance. Can also be used on mobile devices and USBs. Can be integrated with secure email encryption with additional cost. Can integrate with Symantec DLP to auto encrypt sensitive data on USBs.
      • Cons:  Licensed software, native encryption only on OSX.
  • Desktop Virtualization could be used to give users control over a virtual desktop to install software while still giving IT visibility and control over the desktop. This can help control the data from being distributed locally while still giving access to desktop. It can also facilitate a consistent experience and allow users to connect from whatever type of locked down desktop they normally use (Mac, Linux, Windows – who cares!). This approach can prevent copies of your source code from running around in Silicon Valley (or Bangalore or Beijing), while also allowing IT to ensure the desktop is up-to-date on patches and can monitor the installed software and security controls. It may also have the side benefit of making the users work more efficient because their “desktop” can have access to server-level processing power, memory, and storage. Common virtual desktop solutions include Citrix XenApp, Remote Desktop Services, and VMWare.

Detect

  • Endpoint based Data Loss Protection solutions can help you detect that a machine has been compromised by identifying data being sent out to a command and control system. A couple endpoint based solutions to consider are:
    • Digital Guardian:
      • Pros: DLP continually tuned by 3rd party, DLP covers all aspects of endpoint including USB.
      • Cons:  Higher cost to cover managed service model.
    • Sophos Cloud Web Gateway:
      • Pros: Well ranked for ease of use; additional components (AV, DLP, secure email, whitelisting, patching) can be added.
      • Cons:  Integration with other components is still pretty new.
  • Monitor software disablement and removal:  Run daily reports to ensure software protections (Endpoint AV, Configuration Agent such as KACE/Casper/SCCM, DLP Agent, etc.) have not been disabled or removed. Here is a suggested response to violations:
    • Directly confront any users that have disabled or removed protection software: on the first violation remind them of the Acceptable Use policy which forbids such actions; politely remind them of the benefits these tools provide and how they can protect the user from productivity issues.  
    • For subsequent violations, report to their manager and give the same warning with details of potential risks and consequences the employee’s actions present to the company.
    • On a third violation, remove local admin privileges on their computer and have them use a Virtualized Desktop (see above) unless the Vice President of their Business Unit is willing to sign a security policy exception.
  • Monitor alerts and reports from Endpoint AV, Configuration Agent (KACE, Casper, SCCM), DLP Agent for issues with malware, configuration, patching, or data loss. Follow same three strikes rule as in the previous bullets.

Respond

  • Install Carbon Black on user endpoints to respond to malware and endpoint attacks (while we are product agnostic, I am not aware of any viable competitor products at this time). Carbon Black will tell you how the user was compromised and what the attacker got (if anything), will allow you to prevent attacks from spreading, and limit the damage of attacks. Again, here is a suggested approach to responding to a malware or endpoint attack due to end user behavior:
    • Track the users that have incidents; for the first incident, give them training and explain to them how the attack was carried out and how it was successful. Reiterate that with Admin privileges comes the responsibility to comply with the Acceptable Use policy, and ensure that they formally acknowledge the good security practices they have been trained upon.   
    • For a second incident, report it to their manager and give the same warning with details of potential risks and consequences the employees actions present to the company.
    • Third violation take their local Admin Rights away and have them use a Virtualized Desktop (see above) unless the Vice President of their Business Unit is willing to sign a security policy exception. If nothing else the VP will know who the cowboys/cowgirls in his organization are.

To summarize, an unexamined “Wild West” approach to user management and Administrative privileges can lead to serious security issues for all types of organizations. The use of local Administrator accounts can be tricky to manage, but a clear understanding of why the accounts are needed, as well as who can use accounts with elevated privileges can go a long way in preventing a costly issue that bypasses your organizations’ security policies and controls.  When Administrator accounts must be used it is imperative that the consequences and benefits are fully understood, and that appropriate detective, preventative, and response procedures exist to mitigate unnecessary (and unknown) risks. The tools and strategies above can help you to effectively secure your systems when elevated privileges are needed.

If you need more help with user management, AppSec Consulting’s Risk Assessment and Security Testing services are designed to uncover these types of issues and provide actionable guidance for securing your critical systems and assets.  Our approach looks at this issue from a technical, administrative, and operational perspective, and we provide organizations with appropriate strategies to meet their security and compliance requirements.

Ryan Hogan

Ryan Hogan is the Director of AppSec Consulting’s Strategic Advisory Services team.  Ryan is an ISO27001 Lead Implementer and risk management professional with more than 16 years of industry experience.  Ryan has served in key information security roles at large enterprises within the finance, technology, manufacturing, and pharmaceutical markets.  He has worked on all sides of the security equation. Ryan has worked as an auditor reviewing security controls for SOC reports, and as security manager at a service provider that is having its security controls audited, as well as a security manager at customers reviewing the results of a service provider’s security audit. He uses this perspective and experience to provide a balanced view and a risk based approach to information security that meets business objectives. In addition, his experience and expertise includes performing Enterprise IT Risk Assessments, preparing for ISO27K Implementation, Vulnerability Management, and Security Strategic Planning.

Ryan has a strong track record of interpreting and applying a variety of information security-related frameworks and standards to meet an organization’s business objective. His common sense approach, communication skills, and initiative elevate him amongst his peers in the industry.  

read more articles by Ryan Hogan