BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Implementing Least Privilege for Windows the Easy Way

Posted July 31, 2014    Morey Haber

Restricted Area SignThe concept of least privilege states that asset users should have the lowest level of access privileges required to effectively conduct their jobs. Implementing least privilege can bring several benefits to your organization, including:

  • Increased security by reducing the attack surface available to users and to potential attackers who compromise user systems via phishing, malware, etc.
  • Reduced help desk costs due to fewer technical problems resulting from users “breaking things” with administrative privileges
  • Compliance with least-privilege requirements in regulations such as PCI DSS and MAS guidelines – as well as with guidelines such as the Top 20 Critical Security Controls
  • More effective forensic and audit activities (when a solution is in place to document privileged activity)

At its most basic level, least privilege is about restricting users to standard user permissions. Let’s drill down a bit, though. Effectively leveraging least privilege to secure user environments means taking several specific actions, including:

  • Removing secondary usernames and passwords (e.g., username-admin) for running tasks with elevated privileges
  • Removing access to local administrator accounts for user tasks and maintenance
  • Removing backdoor local interactive administrative accounts
  • Removing domain user accounts from the local computer administrator account
  • Denying access to operating system functions that could alter the configuration and compliance settings for the asset
  • Denying system configuration changes and software installs / uninstalls, whether intentional or unintentional
  • Enforcing application usage as a standard user in case of an advanced persistent threat or malware

Easy, right? Not if you do it manually. You can try, but forget about those “reduced help desk costs” I mentioned above. You might want to buy some serious headache medicine while you’re at it.

Fortunately, there are policy-based tools that interact seamlessly with Active Directory and Web Services to automatically manage privileges in Windows environments. Tools like PowerBroker for Windows enable you to leverage Group Policy to create policies and assign them to users or computers – covering just about any privilege management use case you can imagine.

At their core, these solutions keep workers at standard user privileges while elevating privileges for their applications. This means that users can get their jobs done without ever requiring elevated privileges themselves. How does this work? Well, PowerBroker for Windows modifies the application’s security token, enabling the application (or OS function) to run with the permissions required for the task at hand. The application appears to be fully interactive, as if the user executed it with administrator privileges, but in reality it’s not. This is because PowerBroker includes controls to regulate things like sub process launches and directories – as well as other tamper proofing features to ensure the application is not misused after granting elevated privileges.

For those cases where your users or admins directly need elevated privileges for specific server or desktop functions, BeyondTrust offers a privileged password management solution. PowerBroker Password Safe securely stores passwords, allows users to check them out, connects remotely with compete session recording, and automatically randomizes and resets passwords once sessions are complete.

> Learn more about automated Windows privilege management
> Read the PowerBroker for Windows Use Cases White Paper
> Learn more about privileged password and session management

Tags:
, , ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,