Once upon a time, the IT admin reigned supreme –within the confines of his or her corporate network. Those were the glory days, when we ruled with an iron fist, and no user dared question our authority. After all, we had the ability to read their email, access their web history, or revoke their permissions to access files and other resources with a few clicks of our mighty mouse.
The problem with that (or more accurately, one of the problems) was that in a business environment, there were often dozens or even hundreds of people who had administrative rights and could wield this power. Some of them had no idea what they were doing. Others knew exactly what they were doing and deliberately abused their privileges to spy on others, gain personal information, “mess with” friends, or cause problems for those they didn’t like.
The list of people who hold elevated privileges may have “just grown that way” over the years. Admin accounts are given to users who need to perform tasks that require it, and then are never taken away. Bosses are given admin accounts because they insist on it, even when they don’t need it. New employees are given accounts with the same privileges as their predecessors, even if their real job needs aren’t the same.
After a while, you end up with far too many unnecessary administrators. However, it’s not always easy to get a handle on the problem and round up all the admins, much less apply the privilege-of-least privilege to them.
In today’s high-threat, security-aware enterprise environment, with many organizations under regulatory mandate to demonstrate that information is protected from unauthorized access, this model doesn’t work anymore. The day of the unfettered admin is, for better or worse, coming to an end, and here’s why and how.
Understanding the threat
Just as too many cooks can spoil the broth, too many admins can spoil the company’s security strategy. Misuse of privileged accounts has been held responsible for data leaks and worse, whether unintentionally or deliberately.
Administrators can basically take full control of a computer (local admin) or network (domain/forest admin). They can install and uninstall software, create and delete user accounts, change the rights given to those accounts, change the permissions set on files and other resources, change configuration settings, and more.
Malware, vulnerability exploits, and attackers are quick to take advantage of a logged-on administrative account to run arbitrary code. Users with admin accounts can also easily bypass security measures that are in place if they find them inconvenient. Administrative identities are the No. 1 target of hackers and attackers because of all they can do with such privileges.
Cleaning out the admin house
The first step in fixing this problem is to get rid of as many admins as possible. Just as you have to be brutal during spring cleaning about throwing away unneeded “treasures” that you might possibly someday want, you’ll have to resist the impulse to allow users to keep their administrative accounts “just in case” they might need them in the future, or just because they’ve had them forever and you don’t want to hurt their feelings. To do this, you must:
- Know which users have administrative accounts either at the local or network level – all of them.
- Assess all of these users’ job duties and determine who does and doesn’t need admin access.
- Reassign admin privileges based on real need.
Best practice is to assign admin privileges to groups or roles rather than to individual users. You can easily move users in or out of groups, or assign them to new roles.
Taming the wild admins
Once you’ve whittled down the number of people who need administrative access, you’ll still be left with the dilemma of how to reduce the risk posed by those admin accounts that remain.
Protecting against misuse or misappropriation of administrative privileges has been a concern for a long time, and various methods have been used to attempt to reduce the risk. Administrators often maintain two separate accounts for accessing the network: one that has admin privileges and another that’s just a standard user account. The best security practice is to log onto the admin account only when performing tasks that require it, and then logging out immediately afterward and using the standard user account.
Unfortunately, many admins are busy, overworked, or sometimes just a tad lazy or forgetful. They log on as an admin and don’t switch back. After all, it is a pain to do this every time you want to perform an administrative task. And it’s easy to get distracted even if you have the best of intentions.
That’s why, in recent years, modern operating systems have attempted to address this with “protected” admin accounts. Windows Vista introduced User Account Control (UAC), which is based on this concept. Administrative accounts operate like standard user accounts most of the time, but when a task requires elevated privileges, the OS “promotes” the rights without forcing you to log off and back on to a different account or enter different account credentials.
However, this still isn’t as secure as using a standard user account when possible, with an administrative password required to elevate privileges. UAC, while a good idea in theory, doesn’t create a strong security boundary even when it’s used correctly. And most admins, annoyed by the constant prompts, simply turned it off. Microsoft responded by making UAC less “in your face” in Windows 7 – which means more programs and tasks run with elevated privileges without asking if you’re logged on to an admin account.
New on the menu: admin du jour
Whereas some people will need administrative access on a daily basis, there are many others who need it only to perform specific tasks, often for a limited time. That’s where limited duration administrative privileges come in. Microsoft has embraced this concept in both Azure Active Directory and Windows Server 2016, with a feature called Just in Time (JIT) administration.
JIT makes it possible to assign administrative privileges for a specific time period, after which those privileges are automatically revoked. Sure, you can already do this manually, but JIT prevents temporary admins from “accidentally” becoming permanent ones. With JIT, you can make a user an administrator for the day (or week, or hour).
Taking it a step further: enough is enough
It’s not just the time duration that you might need to limit when you’re assigning administrative privileges. It can be even more useful to be able to restrict the scope of those privileges. Only a few people really need full administrative control over everything. Most only need the ability to perform a narrow range of admin tasks.
Working hand-in-hand with JIT, another new feature Microsoft has introduced is called Just Enough Administration (JEA). This makes it easy to grant only those administrative privileges that the user really needs to get the job done. This greatly reduces the harm that can be done by a malicious administrator, or by an attacker who is able to get control of the account.
Less control = more control
Computer and network administration is all about control. In an enterprise environment, less control given to more people results in more control, overall, of the systems and their security. Administrative accounts present a nice, juicy attack surface to those who want to breach network security – whether that’s an outside hacker or one of the administrators. Closing the admin loopholes represents a big step toward a more secure environment.
Photo credit: Flickr/Tom Bullock