Inventory management and personnel management are critical to making this work. Often, the difference between your company becoming a statistic and catching someone with a foothold in your network is limiting the privilege of users on your systems. If my first check after infecting your systems is whether or not I am a local administrator is successful, you are likely hosed.
CSC #4 – Controlled Use of Admin Privileges
Putting together the small network management puzzle will require some outside resources, assistance, help, guidance, a bit of luck, and potentially more. We have discussed the Managed IT Provider (MSP/MSSP) roles and how those can aid, and I stick to it here. A sound MSSP can take a significant burden off your shoulders.
But, for this checkbox (Controlled Admin Privilege), we need to limit administrative privilege on the network. On many large networks, the control processes, documentation, user validation, and privileged group membership monitoring is just part of day to day operations. That said, as the owner/operator of a small business, limiting user privileges is something that must be part of employee orientation, ongoing education, and culture. It is your responsibility to tell your employees why they do not actually need administrative privilege on your company’s systems.
Let’s describe this in terms of risk, using the onion analogy. Every layer of the onion is a risk. Someone sitting at their desk in your office is the outside layer, which is easily peeled. Once an email link is clicked, or credentials are submitted somewhere they shouldn’t be, the next layer of the onion is your endpoint controls. Antivirus, application whitelisting, and monitoring are the next layers of the onion that have to be peeled back. As has been demonstrated over and over, these are just layers to be peeled back like the rest. The next layer, whether or not the user who just clicked to download that “Discount Coupon” application is an administrator could be the difference between the nightmare scenario of domain compromise or an isolated incident.
The following image demonstrates the onion from the opposite perspective, each layer being your defensible position.
Fine, no users are members of the local administrators group. How then do we manage software installs? Hopefully, your MSSP has a ticketing system and this is something they can do remotely. First, this provides an opportunity for checks and balances. If your process requires executive or manager approval, that should happen first. Second, your MSSP or internal IT admin will install the software. Last, please gently remind your MSSP not to leave their accounts lying around as locked sessions. These sessions are the targets of hackers and pentesters alike. If there is a path to these systems, they will be pillaged for all they are worth, which likely includes the credentials for a highly privileged account.
Password management ties into about every CSC / NIST standard that is defined in some way. Managing the privileged account passwords, switches, access points, routers, domain administrators also require some thought. The following is a list of password managers that can help employees adhere to password policies without resorting to sticky notes. Many of them allow the creation and delegation of privileges, which can also be revoked at a moment’s notice.
All these still require some form of authentication, so please take extreme caution when managing the “One Password To Rule Them All,” and enable two-factor authentication!
Along with managing the user privileges on your network’s workstations, be sure groups like “Domain Administrators”, “Enterprise Admins”, and “Schema Admins” are well managed and that the members of these groups have been vetted and belong there. Another part of policy and procedure implementation is an annual audit and review of those policies.
Networks do not operate themselves and while they are often neglected, they should not be. Make your network, the associated policies and procedures, and your business more secure by playing the governing role.
As always, if you want to see or hear more, drop us a line – firstname.lastname@example.org.
Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.