Identify Privileged Users
Before you can prevent privilege abuse, you need to first ensure that you are able to identify who your privileged users are. They can be users with administrative rights provided through membership of a group or an organizational unit. Some are privileged users just because they have been delegated the rights to change passwords of other users or to unlock their accounts. Users with access to third party Active Directory or System Management solutions are also privileged users and it is advised to limit access to any such solution. A privileged user, or anyone using privileged credentials, can damage the organization by misusing sensitive data. Ensure you manually check and prepare a list of all privileged users in your organization. LepideAuditor can help you do this by displaying the list of members of Administrators groups and the list of all users with administrative privileges on any particular date.
Track Permission Changes Continuously
Ensure you have a way of tracking all user permission changes and all permissions applied to files and folders. Any critical changes, such as assigning “Full Control” permissions on a shared folder to a normal user or assigning administrative privileges to a temporary account, should come into notice. LepideAuditor enables you to audit permissions of all server components, compare permissions of an object between a time period, audit permissions to an object on a specific date and analyze historical permissions of Active Directory, Exchange Server and File Server. It can also generate current permission reports to show the currently effective permissions of shared folders. This continuous information enables you to take corrective actions to stop privilege abuse when it arises.
Privileged User Monitoring
Manually tracking the activity of your users is no easy task, it often requires browsing through Event Viewer, Exchange Server, SharePoint, SQL and the SACL lists of files and folders. The manual nature of this work will increase the amount of time it will take to identify privilege abuse. LepideAuditor includes over 270 predefined reports and real time alerting capabilities to help keep track of all user activities in the organization. These reports provide a clear picture of configuration changes, accesses to critical data and any malicious operations taking place (such as deletion) and can be sorted per user. These alerts and reports should help you mitigate the risks of privilege abuse.
Respond to Privilege Abuse
One of the most important requirements is the ability to roll back unwanted changes. If an auditing solution detects unwanted changes that have been made in Active Directory or Group Policy Objects, then it should allow you to easily roll back those changes immediately. LepideAuditor enables you to quickly restore Active Directory objects and Group Policy Objects to their original states.
Avoid Noise in Event Logs
Event Viewer tends to be cluttered with an overwhelming number of log entries. Multiple logs are generated for a single configuration change. If you are tracking the activities of a Privileged User, wading through the noise consumes time that you could have spent on detecting a potential threat. LepideAuditor shows just one event for one change with the answers to the “who, what, when, and where” questions of auditing. You can also filter, sort, search and group all events from any report to get as much information as possible out of them.
Search and Clean Old, Unused Accounts
Old, unused user and computer accounts both may cause privilege abuse. After evaluating permissions assignments, it is important that you identify any potential security vulnerabilities in your infrastructure. LepideAuditor can be used to find old user and computer accounts and apply automated actions to clean them up. This keeps your infrastructure up to date and mitigates the risk of such accounts being used for privilege abuse.
Ensure Least Privilege
The principle of least privilege (POLP), or the least privilege policy, ensures that users have only the right levels of privilege to do their job, nothing more. Enterprises enforcing the POLP will reduce the risk of privilege abuse simply because they ensure that there aren’t an excessive or unnecessary number of users with privileged access. Job functions and tasks requiring new levels of privilege can change at any time. Occasionally employees may no longer require the level of privileged access that they once did. LepideAuditor’s permission comparison reports highlight changes in permissions to a given employee to help you enforce a principle of least privilege.