Most of today’s malware could be stopped by following basic security best practices. But despite this, organizations either choose convenience over security or don’t enforce their own security policies.
In a least privilege environment, users only have the rights required to carry out their job responsibilities. That’s a bit of an unhelpful definition because you could argue that many users need administrative privileges to fulfil their duties as a lot of Windows software, and some OS features, require users to have admin access. IT staff are also often granted domain admin rights because it is the easiest way to expedite access to systems.
On end-user devices, all administrative rights need to be removed from users. But standard user accounts still don’t go far enough. To achieve true least privilege in Windows you also need to enable application control so that executables, scripts, and Windows installer files can’t be run if they’re not trusted. This applies to both end-user computing and servers.
Without admin rights and with application control policies enforced, Windows PCs aren’t that different from iOS on an iPhone or Chrome OS. These platforms have proven immune to remote attacks because there’s no admin access and software must be installed from a curated app store. And that’s part of what makes them popular. Chromebooks are successful in education because they are cheap, simple to manage, and secure. And some small businesses use them for the same reasons.
But Windows is not Chrome OS and users expect more flexibility. Servers are more carefully controlled and should often be used interactively. But organizations must either accept the lack of flexibility in favor of security or find ways to manage secured devices.
User Account Control (UAC) helps to reduce the privileges users have for most of the time. But UAC Protected Administrators are a consumer solution. They provide a safety mechanism that can be overridden by users and are not a security boundary or control.
Addressing the challenges
There are both technical and political challenges in least privilege security. Justifying a least privilege implementation project is the first hurdle. On the server it should be an easy decision. And if your organization is subject to regulation, then you must remove admin rights to comply. Adhering to industry standards like ISO 27001 Information Security Management System (ISMS) can improve operations and provide customers with confidence that you are protecting their data.
Organizations that use System Center Configuration Manager (SCCM) already have a mechanism for distributing software and updates. But SMEs often rely on users manually updating line-of-business software. Notebook users are another challenge, as it might be that they need to install software or devices that require admin access. Distributing apps using Windows Store for Business is an option for organizations that don’t want to invest in an on-premise solution.
Enforcing least privilege needs an iron will. So, it’s important to get buy-in from the people at the top. If you decide that users or IT staff need the flexibility to have admin access but still want the protection provided by least privilege, then a third-party Privilege Access Management (PAM) product can help. Organizations can deploy PAM policies to control which processes and applications run with admin privileges, without granting user accounts admin rights. And challenge/response codes permit users to request admin privileges for processes and IT grants access on-the-fly, even if the device isn’t connected to the intranet.
Legacy business applications that can’t be updated for a least privilege environment can be run using PAM. Or application compatibility shims can be created with Microsoft’s Application Compatibility Toolkit to fix issues with legacy apps and standard user accounts. Virtualization and Remote Desktop Services (RDS) servers are also viable solutions.
On the server
PAM is a good option for existing server deployments that cannot be readily changed. Domain controllers (DCs) are particularly sensitive and domain admin accounts should only be used to administer DCs. To avoid giving IT staff domain admin access you should delegate permissions in Active Directory (AD) so that regular administrative tasks can be undertaken without privileged access to the directory. Use the Remote Server Administration Tools (RSAT) so that staff don’t need to log in to DCs. RSAT can manage other server roles, such as DNS and DHCP.
PowerShell is the best option for secure remote management. Constrained endpoints can be set up so that users have access just to the cmdlets and parameters required. Endpoints can also perform actions using a designated admin account instead of the user’s own credentials. Users don’t need to know the account’s password. Windows Server 2016 includes PowerShell Just-In-Time (JIT) administration which grants users elevated privileges for a restricted period.
Manage expectations and audit changes
Least privilege security is easy to achieve from a technical perspective. But it’s much harder to enforce. Issues like privilege creep, where admin privileges are granted but never revoked, can lead to least privilege in your organization unravelling. Auditing permissions is important in enforcing least privilege and LepideAuditor can report changes to permissions that might indicate least privilege policies were breached.
Managing expectations can also go a long way to getting user acceptance of least privilege. Chromebook users don’t expect to be able to install any piece of hardware because it is technically not possible. But Windows users historically had full control of a complex OS. IT staff don’t always have the skills to manage systems using PowerShell or know that it is possible to delegate access in AD. Changing expectations and improving knowledge can help you secure your organization.