BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

Integrating Least Privilege and Password Management to Solve Account Security ChallengesThere is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field.

Consider the challenge of privileged access: The more access a user or attacker has to a desktop or server, the more damage can be done. The simple solution is flat-out prohibiting users from having administrative access to IT assets – right? Well, that’s easier said than done, since so many common tasks require elevated access. Locking privileged down on a wholesale basis undoubtedly leads to nightmares for help desk technicians, domain administrators, and just about everyone else. It’s no way to make friends.

Least-privilege tools like PowerBroker for Windows enable you to limit everyone to standard user privileges and instead elevate the privileges of applications to perform tasks that require administrative access. That’s a great start. An interesting problem arises, though, when a user needs administrative access via RDP (or local access) for troubleshooting or other advanced tasks (e.g., changing OS configuration via the control panel). How do you avoid providing help desk staff with real administrative privileges that could be intercepted in attacks like Pass-the-Hash?

That’s where privileged password management with PowerBroker Password Safe comes in.

In the above case, Password Safe would allow the help desk technician to immediately check an account out for remote access to the asset. Then, working in concert with PowerBroker for Windows, it would apply least-privilege rules to enable the tech to perform advanced functions from a standard user state – rather than as an administrator. The account’s password could also automatically be randomized and cycled so help desk staff can’t access an asset without logging a request, checking out a password, and leaving an record (in video format) of every action they perform.

In summary, when the help deck technician logs into the remote system:

  • the privileged account and associated password are never exposed;
  • PowerBroker for Windows allows advanced tasks per defined rules and policies;
  • the user never actually has administrative privileges; and so,
  • attack vectors like Pass-the-Hash are a moot point!

Your auditors and security team love this. Every time administrative access is granted to an application or system, BeyondInsight logs the results and produces comprehensive reports and screen recordings detailing what was launched and how it was used.

This one use case solves a complex, real-world problem case by bridging least privilege on the desktop (or even servers), secure management of privileged passwords, and centralized auditing and reporting via a single, seamless privileged account management solution.

» Learn more about PowerBroker for Windows
» Learn more about PowerBroker Password Safe
» Learn more about the BeyondInsight IT Risk Management Platform

Tags:
, , , , , ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,