Working in IT today is like walking into a minefield: there are unseen dangers everywhere, and by simply doing something as natural as taking a step you might blow yourself up. This danger is especially critical for those of us who administer servers in businesses and other organizations because admins are like apartment block managers who carry a master key that unlocks all the doors in the building. If an individual apartment dweller gets his key stolen, he's likely to have his laptop and stereo system stolen. But if the building manager gets his keys stolen then everybody in the block is at risk of getting ripped off, invaded, or assaulted.
It's critically important, therefore, that an administrator who manages and maintains the IT infrastructure and assets of the organization make sure the computer systems are as secure as possible. In this article we'll examine the reasons why workstation security is important for administrators and what kinds of practical steps admins can take to ensure their workstations are secure.
What are some of the dangers?
Let's start off by enumerating the kinds of the dangers faced by administrators from various malevolent actors. Phishing attacks are a major threat vector that anyone using email faces nowadays. Such attacks can steal credentials and use them to break into your network and encrypt all your business data and then demand a ransom payment in exchange for decrypting it. Or they might install malware and use it to surreptitiously steal company secrets or slowly drain money from your accounts without you noticing what's happening. Administrators are especially vulnerable to phishing attacks, not because they're dumb and open every attachment sent to them via email, but because they usually perform their tasks using elevated rights and privileges.
Simply browsing a website can also be a dangerous action to perform if you're an administrator. Even if the operating system of the computer being used is completely up to date with its patches, there may still be unpatched vulnerabilities in the operating system or applications used on it, including web browsers. The simple result of opening a spoofed page because of a DNS redirection attack and then clicking on a link on that page can mean the installation of Trojan horse malware on your workstation, which can then compromise computer systems all across your network.
What can you do about these dangers?
As a minimal starting point for safeguarding your IT infrastructure from such attacks, all administrators in your business or organization should be provided with two user accounts: an admin-level account for managing the infrastructure, and a low-privileged ordinary user account admins can use when they need to do ordinary things like check email, browse the web, write reports, or play solitaire when the grind gets tough. This means, of course, that administrators must ensure that they adhere to a strict policy of only using their admin accounts when they need to perform some admin-level duty or task.
But even assuming that your admins rigorously follow this rule of separate use of different accounts for different purposes, the very fact of using an admin-level account on a workstation can render it vulnerable to attack. In other words, using an account with administrator privileges -- even only once -- on a computer can make that machine untrustworthy. The reason is because the machine now becomes susceptible to elevation of privilege attacks. In other words, if an attacker can gain access to a non-admin user account that has been used on the machine and can then exploit some unpatched known or even unknown vulnerability in the software installed on that machine, then the attacker may be able to elevate their privileges to match those of the admin account that was used on it and wreak havoc on your company's whole network.
But do we really have to worry about unknown vulnerabilities in Windows that might allow attackers to launch elevation of privilege attacks? The short answer, unfortunately, is we don't know, and this means to protect ourselves against such attacks we must assume the worst: The bad guys are smarter than us and know more than we do.
So what else can we do then to safeguard ourselves as admins against these kinds of attacks on our workstations? Well, we can start by migrating our admin workstations to Windows 10 Enterprise edition, which includes Credential Guard, a new feature of Windows 10 Enterprise and Windows Server 2016 that employs virtualization-based security to isolate secrets such as those contained by computers an admin-level account has been used to log onto the machine with. By safeguarding such secrets so only privileged system software can access them, Credential Guard can prevent a wide range of credential theft attacks including Pass-the-Hash attacks and Pass-The-Ticket attacks. You can read more about Credential Guard in this article by Brian Lich on Microsoft's Windows IT Center website.
In my own opinion, taking advantage of Credential Guard together with the practice of using two accounts, high-privileged and low-privileged, is the single most important thing you can do to ensure your administrator workstation is as secure as possible against the most dangerous forms of attack you may face as an administrator. Note, however, that you'll need modern system hardware for your admin workstation since Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot capability and virtualization extensions such as Intel VT-x, AMD-V, and SLAT that must be enabled. TPM 2.0 is also recommended for device health attestation, but Credential Guard will use software if TPM 2.0 is not present on the machine.
Credential Guard is not a panacea, however, and you shouldn't let your guard down just because you're using it. For example, a sophisticated attacker could still compromise your workstation by making use of previously stolen credentials that had been stored on your workstation before Credential Guard was enabled on it. And, of course, if they can get physical access to your device, then a wide range of attacks will be able to compromise it.
Secure workstations aren't just for admins
It's important for businesses and organizations to understand that secure workstations aren't just something that their administrators need. Even some of your lower-level employees may need workstations that are as secure as possible against credential theft attacks instigated through phishing or other means. For example, users in your accounting department working on budgets and financial reports for your company need to have their workstations as secure as possible. The last thing a company that is secretly planning a merger or acquisition wants to happen is for word about their financial standing to leak out. Employees in your research and development department also need secure machines so your newly discovered inventions and innovations won't get stolen before you can trademark or patent them. Even marketing people who manage the social media presence of your organization may need to have workstations that are secure, otherwise you might wake up one morning as CEO and find out that your company's Twitter account has been hacked and someone pretending to be you is spreading nonsense about your company.
So despite all the haters, and despite how Microsoft messed up in its initial messaging of Windows 10 and with its free upgrade fiasco, maybe you should consider migrating to Window 10 Enterprise edition today -- if you really care about the integrity of your business.
Photo credit: FreeRange Stock