The concept of least-privilege is by no means a new one. However with the vast amount of compliance regulations and security concerns faced by organisations on a daily basis, the implementation of least-privilege will go a long way in helping to address these challenges.
The simple concept is essential within a Windows environment where administration rights should be restricted to those required for necessary job function rather than assigning the highest admin privileges to users and risking security. The concept is simple to understand, the implementation is mostly complex.
Introduction
Least-privilege is simple to understand and is a technical and administrative control that makes sense to implement, however technologies like Windows does not lend itself to easy implementation of the principle.
The principle of least-privilege aims to improve security through limiting assigned administration rights/privileges to levels consistent with assigned functions and activities of the user, as to avoid increased uncontrollable access but maintain efficient access rights for effective business purpose. This should hold true for people, processes and devices. So in short, just enough privilege for the user to be able to do their job without hindrance.
Through applying the principle to various processes on a device or computer, the surface area of attack is reduced through disregarding redundant privileges that could open the system up for exploitation.
Many organisations are aware that it is a positive approach to their security but Windows tools limit the successful implementation. Organisations find that they are assigning high level administration rights to large numbers of employees at various levels within the organisation making it increasingly difficult to manage access. This is done so that employees have flexibility when it comes to tending to problems.
Through doing this employees are gaining access to areas, systems and data that they should not have access to. These high level privileges open the organisation up to an array of security risks from compliance concerns through to access control issues as well as insider security risks.
The diverse IT environments (virtual, physical, on premise and in the cloud) within organisations and the combinations of operating systems utilised makes it challenging to successfully implement the principle. However it is important to get this right, as the way we go about business is also more complex with many organisations frequently acquiring outsourced services from contractors or third-party services who are obtaining high level administration rights to do their tasks-this cannot be a secure way to function.
The increased electronic way in which organisations operate and the need for open-access to function effectively increases the importance of least-privilege to ensure the areas that require protection remain inaccessible. This increased requirement for access needs to be managed effectively to obtain the right balance between access and security.
Why least-privilege benefits security
- It’s harder to compromise what you don’t have access to.
- Accidental deletions or manipulation is less likely.
- If you only have access to what you need, anyone that compromises your account will only have access to limed resources.
- Least-privilege helps organisations in classifying data. By classifying data you then know what data you have, where it is and who has access to it.
- Least-privilege helps dramatically reduce the spread of malware, malware tends to use the privilege of the user that was tricked into installing or activating the software. Malware does sometimes try to escalate privilege but in most cases relies on existing permissions to propagate.
- SQL injection is a typical attack that exploits the lack of the rule of least-privilege and often attackers escalate their privilege. If the application only had read-only privilege, more often than not the escalation or attack would not allow execution.
Top Tips for least-privilege implementation
- Get senior management buy-in and assistance
- Get organisation buy-in and assistance
To achieve employee acceptance and to understand the access levels required for each area or requirement you need to involve all departments. Ensure you are able to illustrate the importance of least-privilege principle to all employees to achieve maximum buy-in and cooperation. - Utilise a role based approach when allocating privileges
Remember to allocate access according to roles or function rather than to users. This is easier to manage in the long run, if you are implementing Role Based Access Control (RBAC) remember that role creep is possible so roles and access need to be reviewed on a periodic basis. I typically recommend once every quarter or at a minimum once every six months. - Maintain, review and revise privileges on a regular basis to keep them up to date and effective
- Educate the organisation and the users of the systems to the dangers of obtaining full access to all systems.
- Revise access to legacy applications. My recommendation is to isolate the application and only allow the necessary access to the application, to the users and systems that require access.
- Administrative access should be limited down to exactly the function that is required. Yes, this is not easy to achieve or implement but you will find that most systems have now broken administrative roles down for you, so that this model applies. The reason for this is to make your life a little easier. So that domain admin accounts that have been used for years should now be locked away and the password changed so that no-one can abuse that level of privilege.
- Software should be installed centrally in most cases. This means that users should not have the privilege of installing software. The reason for this is that if done centrally you can control and manage the licence and version and ensure the quality of the software installed. There are some exceptions but in those cases those users and systems should be treated like remote workers and thus the remote worker security policy and remote access controls apply. Through doing this you can isolate the user to outside of the network and reduce the exposure to the organisation while still allowing the user the freedom that they may require without compromising the organisations security policy.
A tip I often give my clients is to not see accounts as privilege but see privilege as accounts. What I mean by this is an account that is used for backup administration, or an account that is used to create users on a domain should be used as such and not for anything else. If your user’s accounts have these privileges then you have lost control of your network, data and systems and any malicious user or application will eventually exploit this vulnerability.
There are several security challenges coming down the line, for example browsers are quickly morphing into operating systems and virtual environments (Clouds) are developing outside of the borders of our networks. The main issue with this is that many security controls go out the window. The solution is quite simple and one that we are already quite familiar with, it’s the solution linked to access control and encryption of sensitive data that has been classified and isolated away from unauthorised users. In a roundabout way it implements the rule of least privilege.
Conclusion
My security team work with many security vendors globally, moreover we work with fortune 500 organisations and we have discovered that by reducing privileges to only what users require in order to perform their role, greatly enhances security and in most cases does not allow a vulnerability to be exploited.
It’s a different approach than hardening the core, but for some organisations this approach works and should be implemented. There is no hard and fast security strategy that will close all the gaps, least-privilege is applicable and should be considered if you’re looking to enhance your security posture.
