There is a curious thing I’ve noticed. Despite all the security problems an administrator account might be exposed to, many are still working on it on a daily basis… What’s wrong with that?
Here is a scary story! Back at the beginning of 2000, I’ve witnessed an unfolding security incident in a company. First, it started with an innocent e-mail sent to a user, of whom the attacker knew he owns admin’s rights.
This e-mail looked completely valid and it was from trusted source, so it just required a simple answer. But when the bad guys got the answer, the next message was malicious. And BOOM… They have owned his administrator account, just like that.
As you can see, spear phishing is not a new tool. Just connect it with high privileges granted and then not revoked, and we have the perfect recipe for disaster. I know plenty of organizations with over 300 domain admins – you can probably imagine how many of them are receiving e-mails on their domain accounts.
So today I will guide you through 6 steps you can take with little cost and effort to improve your environment security and address common issues related to administrator accounts in the Windows environment.
But before we begin to explore all the solutions, let’s first play a game. Take a pen and open your notepad to mark each of these steps you find relevant to your organization. Ready? So let’s begin.
Step 1 – Local passwords
The same local admin password on every workstation is a typical case. But it helps traveling within your network through lateral movement. One workstation taken means that all of them are owned.
What can be a simple solution to that? Deploy LAPS (Local Administrator Password Solution) to address the problem with local administrator passwords on workstations and servers. This is a free tool randomizing local admin passwords and storing it securely in the Active Directory. Simple, easy to deploy and efficient.
How does it help? It is slowing down lateral movement in your network and if a breach happens, it requires each workstation to be taken over separately.
Step 2 – Administrator account
Administrators are working on their accounts on a daily basis. And that’s a bad idea…
Then how to solve it? Let’s introduce a strict separation of admin accounts from the regular ones. Thus, it means no more Internet browsing or email checking as an admin. Every administrator needs to have a separate account and a dedicated admin workstation – especially domain admins. So create administration silos based on roles and functions in your organization.
How does it help? Well, let’s assume a breach happened – credentials are stolen. Where can the attackers get access to? What they can steal? If you ensure that regular accounts are separated from privileged accounts, you make the attack harder to be executed.
Your credentials are stolen… What now?! See which DEADLY mistakes to avoid as an admin: http://ctt.ec/ET2yf+
Step 3 – Admin workstation
Admin is working on their office workstation! Again – a bad idea. Why? If they have access to the Internet, they can be hacked, and the attack surface is broader.
How to solve it? Introduce dedicated workstations for admins to do their work – these should be with no Internet access, email or even office clients. By the way, using a Virtual Machine on your normal workstation is not a solution. If your workstation gets owned, your VM gets owned. Think about that.
How does it help? If you have your admin accounts separated, using them only on dedicated workstations will make them less exposed. Remember to lock-down security on these workstations.
Step 4 – Abandoned remote session
Abandoned remote sessions… You know what it is, right? The perfect gift for the attacker. When you are logged on, your credentials are in memory. The attacker goes in, and it is time to unpack the presents.
Remember to enforce remote sessions to be ended and the user to be logged off. How many times have you closed your session by disconnecting it just to be ready for the next log on? Don’t do this! Always log off and enforce it through policies to log-off disconnected sessions.
How does it help? The main technique for carrying out an attack right now is stealing credentials from running sessions’ memory. If you leave your session running, you are also leaving it for others to harvest your credentials.
Step 5 – Service accounts with high privileges
Remember that your service account credentials can be stolen. Never ever agree to grant a service account high privileges if these are not needed. If someone asks for it, say no! And moreover, ask “why you need that?”. You would be surprised to see how many services are running as domain admins.
Do you have such accounts in your environment right now? Make a mark in your notepad. Use group managed service accounts when possible to limit their privileges.
How does it help? Service account credentials are relatively easy to harvest when someone has access to the system. If a service account has privileges in the network, it’s like opening the doors to an escalation of privileges.
Step 6 – Privileges once granted stay forever
Do you have a procedure to revoke admin privileges once granted? No? Again – mark it in your notepad… Do you think you know who your domain admin is? I mean the real one. What about the guy doing a domain controller backup?
You can solve it with procedures and tools. Use the one I recommend – Microsoft Privilege Access Management (PAM) to grant and revoke it.
How does it help? Fewer admin accounts make the attack surfaces lower, and it is easier for you to control them.
Well, we are done. These above are the six fundamental problems and steps to solve them. How many marks have you written in your notepad? If less than three you are doing great – at least you’re doing more in this area than most of the organizations I know and have worked with. But things always can be better.
If you have three or more marks – you need to plan some actions on your security. On our blog, we have put together some resources and links which can help you start with this.
All in all, if you want to get even more IT insights and solutions, we release a new blog post with a video every week. It’s easy to miss out, so make sure you follow us on Facebook or YouTube. Also, if you’ve honestly found it helpful, spread the love and share this video with your fellows.
And last, but not least — if you need more personalized help, just < contact me >.
Thanks and see you in the next episode.