BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

Integrating Least Privilege and Password Management to Solve Account Security ChallengesThere is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field.

Consider the challenge of privileged access: The more access a user or attacker has to a desktop or server, the more damage can be done. The simple solution is flat-out prohibiting users from having administrative access to IT assets – right? Well, that’s easier said than done, since so many common tasks require elevated access. Locking privileged down on a wholesale basis undoubtedly leads to nightmares for help desk technicians, domain administrators, and just about everyone else. It’s no way to make friends.

Least-privilege tools like PowerBroker for Windows enable you to limit everyone to standard user privileges and instead elevate the privileges of applications to perform tasks that require administrative access. That’s a great start. An interesting problem arises, though, when a user needs administrative access via RDP (or local access) for troubleshooting or other advanced tasks (e.g., changing OS configuration via the control panel). How do you avoid providing help desk staff with real administrative privileges that could be intercepted in attacks like Pass-the-Hash?

That’s where privileged password management with PowerBroker Password Safe comes in.

In the above case, Password Safe would allow the help desk technician to immediately check an account out for remote access to the asset. Then, working in concert with PowerBroker for Windows, it would apply least-privilege rules to enable the tech to perform advanced functions from a standard user state – rather than as an administrator. The account’s password could also automatically be randomized and cycled so help desk staff can’t access an asset without logging a request, checking out a password, and leaving an record (in video format) of every action they perform.

In summary, when the help deck technician logs into the remote system:

  • the privileged account and associated password are never exposed;
  • PowerBroker for Windows allows advanced tasks per defined rules and policies;
  • the user never actually has administrative privileges; and so,
  • attack vectors like Pass-the-Hash are a moot point!

Your auditors and security team love this. Every time administrative access is granted to an application or system, BeyondInsight logs the results and produces comprehensive reports and screen recordings detailing what was launched and how it was used.

This one use case solves a complex, real-world problem case by bridging least privilege on the desktop (or even servers), secure management of privileged passwords, and centralized auditing and reporting via a single, seamless privileged account management solution.

» Learn more about PowerBroker for Windows
» Learn more about PowerBroker Password Safe
» Learn more about the BeyondInsight IT Risk Management Platform

Tags:
, , , , , ,

Leave a Reply

Additional articles

6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,
Password Game Show

Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Posted November 20, 2014    Scott Lang

How do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices…

Tags:
, , , , , ,
Triggering MS14-066

Triggering MS14-066

Posted November 17, 2014    BeyondTrust Research Team

Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed.  This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS). The details have been scarce.  Lets fix that. Looking at the bindiff of schannel.dll, we see a…

Tags:
, , , , ,