BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

Integrating Least Privilege and Password Management to Solve Account Security ChallengesThere is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field.

Consider the challenge of privileged access: The more access a user or attacker has to a desktop or server, the more damage can be done. The simple solution is flat-out prohibiting users from having administrative access to IT assets – right? Well, that’s easier said than done, since so many common tasks require elevated access. Locking privileged down on a wholesale basis undoubtedly leads to nightmares for help desk technicians, domain administrators, and just about everyone else. It’s no way to make friends.

Least-privilege tools like PowerBroker for Windows enable you to limit everyone to standard user privileges and instead elevate the privileges of applications to perform tasks that require administrative access. That’s a great start. An interesting problem arises, though, when a user needs administrative access via RDP (or local access) for troubleshooting or other advanced tasks (e.g., changing OS configuration via the control panel). How do you avoid providing help desk staff with real administrative privileges that could be intercepted in attacks like Pass-the-Hash?

That’s where privileged password management with PowerBroker Password Safe comes in.

In the above case, Password Safe would allow the help desk technician to immediately check an account out for remote access to the asset. Then, working in concert with PowerBroker for Windows, it would apply least-privilege rules to enable the tech to perform advanced functions from a standard user state – rather than as an administrator. The account’s password could also automatically be randomized and cycled so help desk staff can’t access an asset without logging a request, checking out a password, and leaving an record (in video format) of every action they perform.

In summary, when the help deck technician logs into the remote system:

  • the privileged account and associated password are never exposed;
  • PowerBroker for Windows allows advanced tasks per defined rules and policies;
  • the user never actually has administrative privileges; and so,
  • attack vectors like Pass-the-Hash are a moot point!

Your auditors and security team love this. Every time administrative access is granted to an application or system, BeyondInsight logs the results and produces comprehensive reports and screen recordings detailing what was launched and how it was used.

This one use case solves a complex, real-world problem case by bridging least privilege on the desktop (or even servers), secure management of privileged passwords, and centralized auditing and reporting via a single, seamless privileged account management solution.

» Learn more about PowerBroker for Windows
» Learn more about PowerBroker Password Safe
» Learn more about the BeyondInsight IT Risk Management Platform

Tags:
, , , , , ,

Leave a Reply

Additional articles

webinar_ondemand

On Demand Webinar – Why You Still Suck at Patching

Posted March 27, 2015    Lindsay Marsh

On Demand Webinar: Dave Shackleford recounts some of his personal experiences in patch management failure, and breaks down the most critical issues holding many teams back from patching more effectively.

Tags:
,
dave-shackleford-headshot

Why You Still Suck at Patching…and How to Turn Your Life Around

Posted March 25, 2015    Dave Shackleford

Live webinar | March 26, 2015 | 10am PT/1pm ET | Dave Shackleford, SANS Instructor | Why You Still Suck at Patching…and How to Turn Your Life Around

Tags:
, ,
infographic

Privilege Gone Wild 2: Over 25% of Organizations Have No Privileged Access Controls

Posted March 24, 2015    Scott Lang

BeyondTrust recently conducted a survey, with over 700 respondents, to explore how organizations view the risk of misuse from privileged account misuse, as well as trends in addressing and mitigating those risks.

Tags:
,