Controlled Use of Admin Privileges - Top 20 Security Controls

June 2021 | Michael Wetherald

Top 20 Critical Security Controls Series

In this article, we continue our blog series on the industry standard top 20 critical security controls -- sometimes referred to as the SANS top 20 or CIS Critical Security Controls. These controls provide your organization a set of best practices for protecting your organization from the most common attacks faced around the world.

POSTER | SANS 20 CRITICAL SECURITY CONTROLS - DL & Print crucial info for defending your org. http://t.co/MbpeDjiwRz pic.twitter.com/nqWx9oRl5t

— SANS Institute (@SANSInstitute) July 3, 2015

Basic Security Controls

Controls 1-6 are considered the basic controls every organization should employ to have a solid foundation to build from:

• Inventory and Management of Hardware Assets
• Inventory and Management of Software Assets
• Vulnerability Management
• Controlled Use of Administrator Privileges
• Secure Configuration for Hardware and Software
• Maintenance, Monitoring and Analysis of Audit Logs

#4: Controlled Use of Administrator Privileges

Administrator privileges are necessary for managing your environment, but in the hands of an adversary they are a free pass to wreak havoc in your environment. Getting the right balance of security and availability for those who need it requires a deliberate strategy.

Why Is This Control Important?

Administrator privileges are the keys to your kingdom. Without the proper control and management of those keys, it becomes much easier for an attacker to gain access to those keys and cause damage to your organization. The challenge is balancing locking down and securing those keys, with your employees ability to perform their job responsibilities.

How to Implement This Control

This control breaks down into two main components. One is around updating the policies and procedures involving admin accounts. And the other is logging and monitoring the use of those admin accounts.

Administrator Account Management

Inventory of Administrator Accounts

Without an inventory of the administrator accounts in your environment they are unmanaged and free to change and be abused without notice. Utilize automated tools to audit the hosts in your environment for all administrator accounts on the device. Then audit this inventory to ensure only authorized users have elevated privileges necessary for their job responsibilities.

Default Passwords

Audit all devices in the environment for default passwords and change any that are found as soon as possible. Update your deployment procedures to ensure steps to reset default passwords.

Utilize Dedicated Administrator Accounts

All users who require administrator accounts should also be provided a user account without administrator privileges to use for typical day to day activities. Using admin accounts to browse the web or check email drastically increases the risk of those activities. A user using an admin account to open an adversary's email attachment has now provided that adversary admin access to the device.

Utilize Dedicated Administrator Devices

Segregate the host(s) necessary for performing administrative responsibilities from the organizations primary network. There should be no Internet access from this host, and it should not be used for any other activity.

Restrict Access to Scripting Languages

Limit the use of scripting utilities like Powershell and Python to administrators or developers who require access for their job responsibilities. Without the use of scripts adversaries who compromise hosts will be severely restricted in their ability to advance.

Multi-factor Authentication and Unique Passwords

Utilize multi-factor authentication (MFA) for administrator accounts wherever possible. There are lots of different options for multi-factor authentication, and choosing a solution that's right for your organization requires some careful planning. Contact us today and we can work with you to understand your options. Wherever MFA isn't available, use admin passwords which are unique to each system. A good password management solution will make this feasible.

Logging and Monitoring

The other half of this control involves early detection and response to issues involving your administrator accounts. Configure the hosts in your environment to log changes to administrator groups. This includes when a user is added or removed from admin groups on the host. Additionally, log and alert on unsuccessful login attempts by admin users. Alerting on these two events will allow your staff quickly detect and react to compromised hosts.

Conclusion

Be sure to check out the next article in our series, where we cover security control #5: Secure Configurations

Securing administrator privileges is a crucial control for developing the security program at your organization. Viam is here to help guide you through implementing this control at your organization. Contact us today if you are ready to take steps to reduce the cybersecurity risk in your organization.