BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

Integrating Least Privilege and Password Management to Solve Account Security ChallengesThere is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field.

Consider the challenge of privileged access: The more access a user or attacker has to a desktop or server, the more damage can be done. The simple solution is flat-out prohibiting users from having administrative access to IT assets – right? Well, that’s easier said than done, since so many common tasks require elevated access. Locking privileged down on a wholesale basis undoubtedly leads to nightmares for help desk technicians, domain administrators, and just about everyone else. It’s no way to make friends.

Least-privilege tools like PowerBroker for Windows enable you to limit everyone to standard user privileges and instead elevate the privileges of applications to perform tasks that require administrative access. That’s a great start. An interesting problem arises, though, when a user needs administrative access via RDP (or local access) for troubleshooting or other advanced tasks (e.g., changing OS configuration via the control panel). How do you avoid providing help desk staff with real administrative privileges that could be intercepted in attacks like Pass-the-Hash?

That’s where privileged password management with PowerBroker Password Safe comes in.

In the above case, Password Safe would allow the help desk technician to immediately check an account out for remote access to the asset. Then, working in concert with PowerBroker for Windows, it would apply least-privilege rules to enable the tech to perform advanced functions from a standard user state – rather than as an administrator. The account’s password could also automatically be randomized and cycled so help desk staff can’t access an asset without logging a request, checking out a password, and leaving an record (in video format) of every action they perform.

In summary, when the help deck technician logs into the remote system:

  • the privileged account and associated password are never exposed;
  • PowerBroker for Windows allows advanced tasks per defined rules and policies;
  • the user never actually has administrative privileges; and so,
  • attack vectors like Pass-the-Hash are a moot point!

Your auditors and security team love this. Every time administrative access is granted to an application or system, BeyondInsight logs the results and produces comprehensive reports and screen recordings detailing what was launched and how it was used.

This one use case solves a complex, real-world problem case by bridging least privilege on the desktop (or even servers), secure management of privileged passwords, and centralized auditing and reporting via a single, seamless privileged account management solution.

» Learn more about PowerBroker for Windows
» Learn more about PowerBroker Password Safe
» Learn more about the BeyondInsight IT Risk Management Platform

Tags:
, , , , , ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,