Over the years, Microsoft has published a variety of articles relating to 10 Immutable Laws of Security. One of my favorites was from 2000 – Law #9: Security isn’t about risk avoidance; it’s about risk management. The two bullets from this are as true today as they were almost 20 years ago.
- There will be times when business imperatives conflict with security.
- Your network security will be compromised.
“The place to deal with both of these issues is in your security policy.” Accept that you have been compromised, whether through human error or a malicious attack. Also accept that there will be organizational challenges that conflict with your utopian IT security goals. Embrace the challenges and create a security policy to manage the risks.
The second oldie but goodie, from Microsoft Windows Security Resource Kit, 2nd edition, was published in 2005. “Always think of security in terms of granting the least amount of privileges required to carry out the task.” Again, the guiding principle of Least Privilege remains true today.
Unfortunately, we find that in reality IT folks are not following these basic rules and the hackers know it. An easy way for the bad guys to infest your network is by escalating privilege, but the easiest way is to find a permanent account with elevated privileges throughout the enterprise and then compromise the account. The age–old pass-the-hash attacks are still effective, but regardless of the method of compromise, the privileged account is the target.
Active Directory Review
These accounts pose as high–risk targets:
- Enterprise Admins should be EMPTY
- Membership of this group need only be granted for specific tasks related to schema management and upgrades and then should be promptly removed upon completion.
- Schema Admins should be EMPTY
- Review, remove, audit.
- Domain Administrators
- Administrators should NOT be using their named user accounts for Administrative tasks. The named user account should be for daily workstation logins, checking email etc. for daily workstation tasks. A separate Administrator account per Admin should be utilized for tasks that require elevated privilege.
- Review use of Domain Administrators for backup jobs, use least privilege.
- Remember – anyone in this group has the ability to elevate any user to EA and SA.
Cross Forest Trust
- Domain Level Elevated Accounts in Forest A should not have elevated rights in Forest B.
- Local Administrators
- Review Nested groups and their members
- Local Administrators
- Even with UAC enabled, these users have elevated risk to the workstation.
- Create a unique local privileged account per workstation for select users that require elevation. When required, the UAC will prompt the user for this account. If this unique account is comprised, the risk is reduced as the credentials are not valid on the domain.
Reviewing built-in highly elevated user accounts and groups in Active Directory is the low hanging fruit of Risk Management. Least privilege for user access and risk can be further managed with Role-Based Access Controls (RBAC) and Group Policy Objects (GPOs). Risk Management can also be addressed with the implementation of Multi-Factor Authentication (MFA). These controls can be more complicated to implement. Please reach out to us if you would like to have a conversation about any of these security controls. In developing your security policy, my recommendation is to keep the golden nuggets Risk Management and Least Privilege in your mind.
Peters & Associates has many years of experience and we have helped clients of all types raise the bar when it comes to enhancing their information security posture. In addition to cloud architecture, network engineering, and traditional managed services – We provide a wide array of security services to manage risk and align with your organizational goals. Peters & Associates has seasoned security professionals on staff that are part of our security advisory and managed services offering, ensuring a security focused approach for your organization. Contact us at firstname.lastname@example.org to learn more – we are happy to help!