How LepideAuditor helps implement the Principle of Least Privilege

Aidan Simister by   09.20.2017   Data Security

How LepideAuditor helps implement the Principle of Least Privilege

One specific concept we’ve been talking about a lot recently here at Lepide is the Principle of Least Privilege (PoLP). The principle of least privilege is the process of ensuring a ‘user should only be able to access the information and resources he or she requires for legitimate reasons’.

Opportunity Knocks…

It’s such an important concept to understand. When we analyse the root causes of data leakage incidents, there are so many instances that can be attributed to opportunism. Often perpetrators of data leakage aren’t in themselves by nature, malicious. They aren’t part of any organised crime group and they aren’t hardened foreign hackers.  They are ‘normal’ employees. They may potentially be disengaged, but either way, they’re opportunists. These people realise they have access to data (files or folders) that they can use or abuse for personal or financial gain.

One recent example we had was a services company based in the USA (who will remain nameless, for obvious reasons). Members of the sales department realised they could access an ‘approved expenses’ folder and modify expense amounts after expenses were approved and would get reimbursed appropriately. In this instance PoLP was definitely not in force. We see this issue so often, where employees have disproportionate or inappropriate level of permissions to data.

Data is money…

Data is the equivalent of hard cash. However, because it’s not physical or tangible, there is a perception amongst employees that ‘touching’, sharing or copying the data is not actually a tangible crime. Perhaps the issue with data security is simply one of perception?

The statistics are worrying…

Here at Lepide, we’ve been in this industry for a little over 14 years now and have dealt with some of the world’s largest enterprises. We’re frankly shocked how little time and effort is put into to ensuring least privilege.

In our research, only 60% of mid-to-large sized organisations are able to proactively keeping track of current permissions or changes to permissions.

Worse still, 65% of all organisations don’t have a process or a mechanism in place for tracking/alerting based on the interaction of users with their data.

We completely understand the complexity of such issues and we recognise that permission sprawl is a real challenge for organisations to manage. However, we believe a more proactive approach needs to be taken where least privilege is concerned in order for issues such as of data leakage, insider threats and privilege abuse to be properly addressed.

In principle, this concept is obvious. You should only give those people that need access to the resources the access they need. In practice, it simply doesn’t work like that for many.

So how can LepideAuditor help…

We knew had a proven track record of helping organisations keep track of data interaction, but we saw a real gap in our customers’ security when it came to access rights.

So, here’s what we did.

We placed ourselves in the ‘shoes’ of our prospects. We approached the scenario as if we were a mid-market finance organisation; starting with a simple Google search. We tried a few terms and first thing we saw was a distinct lack of choice. When we dug deeper and we actually managed to find some vendors that positioned themselves as offering PoLP solutions, it was clear that the options were limited and could be placed into three distinct categories:

1. Those that were hugely expensive

2. Those that were very crude

3. Those that were too complicated.

In some cases, some of the vendors fell into more than one of these categories. This was the point in which we knew we could add value to this space.

As an integrated feature of LepideAuditor, we introduced our current permissions feature. We set out to make it as simple, intuitive and easy to deploy as possible.

The objective was to ensure any organisation –  irrespective of size, sector or budget – would be able to take a file or folder and show who has which levels of access to a file or folder, by what means the access was granted and what the historical permissions were (all in a matter of clicks). We wanted to ensure that organisations had a quick and easy way of instantly getting the information they needed to help keep access rights limited to only those that legitimately needed it.

Let’s see it in action…

To maintain the privileges, LepideAuditor includes the following permission reports for Active Directory.

1. Permission Modifications: It shows all changes made in the permissions of Active Directory objects. You can see both the value that has been changed and the final value after the change.

Fig 1 object-permission-modificationsFigure 1: Active Directory Object Permission Modifications

2. Permission Comparison: It lets you compare the permissions of an object between two dates.

3. All Permissions to an Object: It shows all permissions given to an object by other Active Directory objects.

4. Permissions of an Object: It shows all effective permissions held by objects.

The best thing, you get to know, about LepideAuditor is that it keep tracks of user permission modifications across the IT Infrastructure including Active Directory, Exchange Server, SharePoint Server, SQL Server, Exchange Online, Windows File Server, and NetApp Filers.

In the below screenshot, using LepideAuditor’s File Server auditing capabilities, you can see exactly what change has been made to permissions of users on a folder in question.

Fig 2 Folder-permission-modifiedFigure 2: Folder Permission Modified

Here is more in the bucket. Our solution is equipped with Historic Permission Changes Reports for Active Directory, Exchange Sever, and File Server. It lets you see what changes are made in permissions of objects, mailboxes, files, and folders in your entire IT infrastructure. You could see entire permission history and compare the permissions between two given dates. In this screenshot, you can see historical permissions to a file in question, based on a specified date range:

Fig 3 Historic-Permission-Changes-of-FileFigure 3: Historic Permission Changes of a File

For live maintenance of user privileges on data, we show analyse the current permissions of users on all shared folders and its files. These are evaluated after comparing the Share permissions with NTFS permissions. See a sample here.

Fig 4 Current Permission AnalysisFigure 4: Analysis of Current Permissions of Users on a folder

Another important feature we developed to help our customers with least privilege was real time alerting. This enabled organizations to proactively track if a user was added to a security group or a permission was directly changed. The main business benefit here, of course, is that you can help reduce permission sprawl. If someone is inadvertently given inappropriate/illegitimate permissions, then you have a proactive means of keeping track.

In this screenshot, you can see an email sent as a real-time alert to some users, when permissions of default “Users” container has been modified.

Fig 5-2 permission-modification-alertFigure 5: Alert email to notify permission change on “Users” container

Such alerts can also be sent as push-notification to LepideAuditor App (available for Android or Apple devices) or as updates delivered on inbuilt Radar Tab.

Even automated scripts (like a command to shut down the computer or stop a service) to counter some sudden, yet critical, permission changes can also be triggered. So triggering a script is here, but how you can restore an unwanted permission change in Active Directory or an unwanted privilege policy change in Group Policies? Don’t worry we have our proprietary object state backup and restore technology. Our solution will capture the backup snapshots at regular intervals that can be used to restore the changes in Active Directory objects and their permissions, and entire Group Policies with a few clicks.

Fig 6 object-permission-restoreFigure 6: Restoring Permissions of Users on an Organizational Unit

In summary

We’re not suggesting for one minute that deploying LepideAuditor will protect you from over-privileged users. However, we can definitely help you mitigate against such risks by offering a simple, proactive means of getting the insight you need to enable your organization to implement the Policy of Least Privilege.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.