Denying users administrative access to their local workstations is not often received well. As computers have become an integral part of our daily life, users often get upset and frustrated when they do not have the privileges to complete specific tasks. This frustration is usually felt in the IT department as well, both from disgruntled users that are complaining about their lack of access and also from the increased workload because the IT department now needs to complete any task that requires administrative access.
Adding to the frustrations of users and IT staff alike, applications add to the dilemma. Many times, applications themselves require administrative access in order to run properly. While settings and registry changes could be made to provide the necessary access without full administrative privileges, most IT departments do not have the time, resources, or expertise to make those configuration changes for every application in their environment. Too often, the alternative method used is to provide local administrative access to the entire user base.
The CSC 5 security control, which was recently upgraded from 12th to 5th in order to put it higher in the organization’s priority list, is concerned with limiting the use of administrative privileges in an environment. Specifically, CSC 5 is about the processes and tools that are used to track, control, prevent, and correct the usage, assignment, and configuration of administrative privileges on applications, computers, and networks. In support of the increased priority of this control, recent reports have illustrated the impact limiting administrative privileges have in a Windows environment. A recent report by Avecto found the following:
- 97% of the 240 critical vulnerabilities published by Microsoft in 2014 could be mitigated by removing administrative rights
- 98% of Microsoft Windows critical vulnerabilities could be mitigated by removing administrative rights
- 99.5% of Internet Explorer vulnerabilities could be mitigated by removing administrative rights
- 95% of Microsoft Office vulnerabilities could be mitigated by removing administrative rights
- 97% of vulnerabilities related to Critical Remote Code Execution could be mitigated by removing administrative rights
- 80% of all vulnerabilities reported by Microsoft in 2014 could be mitigated by removing administrative rights
The following CSC 5 sub-controls can be implemented to provide a logical approach to limiting the use of administrative rights throughout an organization:
Sub-Control 5.1 Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.
Sub-Control 5.2 Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive.
Sub-Control 5.3 Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts.
Sub-Control 5.4 Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system.
Sub-Control 5.5 Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account.
Sub-Control 5.6 Use multi-factor authentication for all administrative access, including domain administrative access.
Sub-Control 5.7 Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).
Sub-Control 5.8 Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged on to the machine without administrative privileges, the administrator should transition to administrative privileges using tools such as “Sudo” or “RunAs”.
Sub-Control 5.9 Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be isolated from the organization's primary network and not be allowed Internet access.
Several of the sub-controls within CSC 5 are policy based and will rely heavily on the creation of formal organizational policies and the organization conducting appropriate training sessions to inform administrators and users of what will be expected. There are, however, some technical implementations that can assist in the enforcement of these policies.
As indicated in sub-controls 5.6 and 5.7, multi-factor authentication increases the level of security over the standard username and password. There are several choices available on the market when it comes to selecting a multi-factor authentication (MFA) solution. Many popular methods include security tokens, smart cards, one-time passwords, and USB keys. Additionally, many of the companies that provide MFA solutions, such as Symantec, RSA, and DUO Security, also offer several options for implementation.
DUO Security is one example of a company that offers an entire line of options to support several MFA use case scenarios. In addition to their flexible and dynamic solution portfolio, DUO has a couple of other features that set them apart from other MFA vendors. One of the key differentiators is that their solution is fully managed from a cloud environment. Their solution also provides a “push” service that upon authentication sends a notification to the user’s smartphone for verification. Both of these are important features because they create a true out of band authentication (OOBA) system. This is significant because if an adversary has access to an organization’s network, then they may also be able to gain access to any internal MFA administrative server, or they could intercept the username, password, and MFA as they all run across the same network. Having the user administration maintained outside the target network and having the MFA credentials sent over a separate network provides additional security over other MFA methods.
In support of sub-control 5.2, CyberArk provides those elements called out in the control as well as several others that offer additional protections. The CyberArk Enterprise Password Vault’s primary function is to secure the passwords used by accounts with administrative privileges. As such, one of its central features is to discover the privileged accounts that exist within an environment. CyberArk Enterprise Password Vault automatically discovers and inventories privileged accounts and SSH keys both public and private throughout the entire IT environment. Administrators can select which accounts and authorized key pairs should be protected and automatically onboard them to the Digital Vault.
Beyond discovering and managing the administrative level accounts, CyberArk also provides some unique features that add a level of security to those accounts. For example, CyberArk has the capability to synchronize and automatically rotate privileged account credentials. This can be done on-schedule, on-demand, or even after each use. For audit purposed, CyberArk also requires users to “check-out” credentials prior to being used. This is especially significant for any shared accounts that may be in use. This “check-out” method provides a record of who is accessing what accounts and when. Additionally, CyberArk can request that users provide specific justification before accessing privileged accounts.
As with any security implementation, there are several solutions on the market that can assist with many of the tasks contained in the CSC5 sub-controls. While there is no single solution that is right for every organization, a thorough evaluation of the organization’s environment, goals, and objectives can help determine which solutions are right for them.ePlus offers a Cloud Usage & Risk Assessment that helps an organization determine what solutions can better protect their data within shared cloud applications. ePlus also offers solutions that help your organization manage your multi-cloud landscape, including IAM solutions. We create custom, integrated security programs through a unique holistic approach centered on culture and technology. For more information about how you can implement the recommendations of the CSC5 sub-controls, visit www.cisecurity.org/controls/ or contact us at firstname.lastname@example.org. You can also contact your ePlus Account Executive directly.