BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

5 tips to protect your admin credentials

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 9 Feb 2016 18:48:16 -0700
http://www.infoworld.com/article/3030269/security/5-tips-to-protect-your-admin-credentials.html

Protecting elevated authentication credentials is one of the best
defense-in-depth strategies any company can deploy.

In today’s pass-the-hash, pass-the-Kerberos-token, steal-any-credentials
world, preventing credentials from falling into the wrong hands can be the
entire battle. Identity is security. If an identity and its authentication
credentials get into the wrong hands, often enough, it’s game over.

For decades we’ve told people not to stay logged in as admin or root all
the time. Alternatively, they should have two accounts: one for regular
user duties (email, browsing the Web, and so on) and another elevated one
for administrative duties.

That’s the old way of thinking. Today’s advice includes using just-in-time
credentials, two-factor authentication, and least-privilege delegation.

Minimize permanent membership

Start by minimizing the number of permanent members of any elevated group
as much as possible. The Holy Grail is zero members of any elevated group.
If you can’t get to zero, get to near zero. Your processes, tools,
services, and applications should be able to work in a world where no one
needs to be an elevated admin all the time. This is the 21st century, after
all

Use two-factor authentication

Many companies have been compromised because their users and admins either
had their credentials phished away or they reused a password on both
corporate and unrelated, third-party sites and services. The bad guys break
into the third-party site, then see if they can reuse stolen credentials on
the corporate network.

That’s why anyone who can be elevated to do something administratively
should be required to use two-factor authentication (or better) to log on
in. Two-factor authentication doesn’t provide as much protection as most
people think (for example, pass-the-credential attacks are still viable),
but they help, mainly because admins can’t be phished out of a plaintext
password or PIN anymore.

Delegate, delegate, delegate

Even in a Holy Grail environment of zero permanent admins, admins are
needed -- or more precisely, people who need to perform
administrative-level tasks are needed. But we need to make sure most of
those administrative tasks are performed by people who are less than full
admins.

Most administrators do not need everything a full admin credential gives
them. Some tasks absolutely require full admin privileges, but those
scenarios are not typical. In the majority of cases, an elevated credential
can be a “delegated” permission or privilege, while still remaining least
privilege -- only the bare essential access to do the job. Even then, it
should be accorded only while needed.

Implement just-in-time credentials

I’m a huge fan of systems that give users elevated privileges and
permissions for only as long enough for them to perform their admin duty --
after which they’re taken away. These are known as just-in-time systems.

A decade or so ago the idea of delegated, just-in-time was promoted as the
best access control model in what is known as role-based access control.
I’ve been a believer of it ever since. The idea was that the application
developers are the only ones who really know which rights and permissions
are needed to perform a particular application task.

Developers figure out what’s needed and hard-code those various permissions
and privileges to particular tasks, which are then collected into
particular application roles. Users and application administrators place
application users into various application roles; those users are then
allowed to perform these predefined tasks while in the application and only
while in the application.

To assign permissions and privileges any other way is really a bit insane.
How did our computer networks evolve so that network administrators are the
ones who guess at and assign permissions? They aren’t the application
owners -- and are almost never the masters of every application -- yet
they’re expected to outthink application developers about who needs which
rights and permissions.

I’m fairly confident that role-based access control will be the ultimate
and only access control model we all use. But we're struck in another
critical transition between what we have and what we will eventually have.
Until then, just-in-time, two-factor, least-privilege delegation is the way
to go. I don’t care how you get there. It can be a program that does all
the behind-the-scenes work for you, or you can do it manually or using
scripts. How you get there is not as important as getting there.

Require armor-plated boxes

A recent addition to the just-in-time model is the new requirement that all
administrative credentials are entered, and all administrative tasks
performed, only on very secure computers. No more logging on as admin to
your regular computer, which could be already compromised by malware or a
hacker. Nope, admins should be restricted to using only dedicated computers
(physical computers are better than virtual machines). The systems they
connect with should accept admin connections from only these secure
computers.

Secured computers should not have an Internet browser or be allowed to
initiate or accept connections from the Internet (or only allowed to accept
connections from a small set of predefined sites). Application control
software should restrict which programs the admin can run -- and only a
small set of software programs should be on that list.

What secure administration really means

Administrators should use the most secure admin methods possible. Logging
on to other computers in a way that leaves credentials hanging around for
the hacker to steal should be forbidden or minimized. If possible, admins
should use remote methods that do not send stealable credentials at all.
Get your admins out of the habit of using GUIs that require full local or
remote logons.

I’m not unique in offering this advice. This, and more, is recommended by
many organizations. Heck, some companies have been running this way for
decades.

My only somewhat new suggestion: Your secure admins running on secure admin
workstations should also include all your application admins. Data theft
doesn’t require a hacker to steal operating system admin credentials.
Often, all that’s needed is the access of a regular user. I’ve seen some
applications with dozens to hundreds of all-powerful admins. Do they need
that power? Are they properly protected? Almost never in both cases.

Credentials are the main battlefront in our ongoing computer security war.
Deploy everything you have to protect them.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: