BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

Integrating Least Privilege and Password Management to Solve Account Security ChallengesThere is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field.

Consider the challenge of privileged access: The more access a user or attacker has to a desktop or server, the more damage can be done. The simple solution is flat-out prohibiting users from having administrative access to IT assets – right? Well, that’s easier said than done, since so many common tasks require elevated access. Locking privileged down on a wholesale basis undoubtedly leads to nightmares for help desk technicians, domain administrators, and just about everyone else. It’s no way to make friends.

Least-privilege tools like PowerBroker for Windows enable you to limit everyone to standard user privileges and instead elevate the privileges of applications to perform tasks that require administrative access. That’s a great start. An interesting problem arises, though, when a user needs administrative access via RDP (or local access) for troubleshooting or other advanced tasks (e.g., changing OS configuration via the control panel). How do you avoid providing help desk staff with real administrative privileges that could be intercepted in attacks like Pass-the-Hash?

That’s where privileged password management with PowerBroker Password Safe comes in.

In the above case, Password Safe would allow the help desk technician to immediately check an account out for remote access to the asset. Then, working in concert with PowerBroker for Windows, it would apply least-privilege rules to enable the tech to perform advanced functions from a standard user state – rather than as an administrator. The account’s password could also automatically be randomized and cycled so help desk staff can’t access an asset without logging a request, checking out a password, and leaving an record (in video format) of every action they perform.

In summary, when the help deck technician logs into the remote system:

  • the privileged account and associated password are never exposed;
  • PowerBroker for Windows allows advanced tasks per defined rules and policies;
  • the user never actually has administrative privileges; and so,
  • attack vectors like Pass-the-Hash are a moot point!

Your auditors and security team love this. Every time administrative access is granted to an application or system, BeyondInsight logs the results and produces comprehensive reports and screen recordings detailing what was launched and how it was used.

This one use case solves a complex, real-world problem case by bridging least privilege on the desktop (or even servers), secure management of privileged passwords, and centralized auditing and reporting via a single, seamless privileged account management solution.

» Learn more about PowerBroker for Windows
» Learn more about PowerBroker Password Safe
» Learn more about the BeyondInsight IT Risk Management Platform

Tags:
, , , , , ,

Leave a Reply

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…

pbps-blog3

7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

Tags:
, , , , ,