Overview
Let’s continue on the basics and scratch the surface a bit harder this time :). The post get’s a bit more technical and has some acronyms in it, but still very much on high level.
Applying these measures requires a better understanding of who, where, when and how.
Topics
Why – Why someone tries to access the environment?
Who – Who should be able to access the environment? Can we authenticate the users or identify them in another way?
Where – Where are the users connecting from? From the office network? Some specific country/countries/region? Can we either whitelist or blacklist the locations?
When – Is the environment accessed around the clock? Can we recognize peak usage times?
How – What kind of device they’re using, what possibilities we have locating and authenticating the user?
Breakdown
There are a lot of ways to allow restrict the user access, but assessing / recognizing the required and allowed access is the key. Not only having the least privilege access to the resource on permission level but also “connection-wise” is a key factor.
Who?
Of user accounts
First of all; everybody’s been ranting about having a strong authentication for ages already, but we’re still seeing environments that you’re able to access with just user name and password. And that’s not all, some environments have shared user accounts for users. The problems with these are quite obvious and discussed over and over again so just make sure that:
- All the users have unique / personal accounts
- Users are authenticated with multi-factor
The other thing what we’ve been seeing and fixing a lot is the user privilege level. It’s not rare being able to log in to an environment with an admin-level user (sometimes without MFA, with a shared account!). This is also an obvious problem security-wise and a really important angle to consider for securing the environment.
- Make sure that users log in to their workstations and internet-facing access points with just a basic-level user account
- Don’t allow (higher level) admin accounts to log in to workstations (interactive logon) or internet-facing access points
With many customers the divide between basic user accounts and admin accounts isn’t enough, so they have introduced a “third tier”. Microsoft has a bunch of great articles discussing of 3-tier security model and/or privileged access
| User tier | Privilege | Info |
|---|---|---|
| Tier 2 – basic user | Basic user level permissions for “normal office-use” | This is the user account that is used to log in to workstations, access the environment externally (incl. VPN). Strong authentication is always required at least when logging from outside the corporate network. |
| Tier 1 – remote management (optional) | Able to log in to places where one is able to manage resources | This user account is able to log in to management portals where one can either log in to management consoles or to the destination resources using their system admin account. Especially with environments where the system admin level accounts are non-person user accounts, it’s really good to have the “extra-layer” for being able to connect to these systems. Strong authentication should be considered for the management connections. |
| Tier 0 – “system admin” | Highest user-privilege to the system / data | These users are domain, database, web server, etc… administrators. The last line of defence. Avoid interactive logons to workstations and servers with these accounts. Often it’s not possible to implement strong authentication on this level. |
Other points of notice
Audit trail – Private companies and public sector have different logging requirements depending on what business they’re dealing with. You should make sure that at least the minimum required data is recorded of the user activities and you’re able to parse what the user’s been up to. Also make sure the data is stored long enough, it can be accessed only by the responsible people and the access and visibility to the data is regularly verified.
Human error – No matter what technical measures you implement to your enviroment, we’re all human. Make sure your staff get’s at least basic security training when they start and throughout their employment relationship. Even the finest authentication setups are good for nothing (EvilProxy, anyone?) if the user follows a phishing link and punches in their credentials.
Non-human users – There’s a lot going on within artificial intelligence (AI), machine learning (ML) and robotic process automation (RBA). You might have legit “users” from these categories, but unfortunately there’s a lot (and the amount is definitely on the rise) of cyber criminals that use AI/ML/bots for their benefit. Having some ways to identify non-human users and if they’re good or bad is something to pay attention to.
PAM – Privileged Access Management. Being able to manage business critical systems requires a combination of minimum combination of authentication, network access and possibly other parameters. There are many ways to achieve this, but even if we don’t have a complete solution, a partial one helps in securing the IT environment.
PIM – Privileged Identity Management (a subset of PAM). More advanced and modern environments are capable of privilege identity management, where you can activate the necessary privilege for limited time and log the actions performed during privileged use. This greatly helps with the amount of user accounts required for an administrator.
SIEM – Security information and event management. The system your Security Operations Center (SoC) uses to monitor your environment security.
What should I do?
Assess your current status
- Do all your users have unique accounts?
- Are your users strongly authenticated?
- Do you have separate user accounts for basic access and administering? Have you considered PIM?
- What kind of privilege different users have? Are you able to administer stuff with your normal user account? Can you login to your internet-facing access points with an admin account?
- Are you able to easily check the logs from user perspective and have a full audit trail, especially when doing administrative activities on your environment?
- Are you able to detect suspicious activity and flag users that might be doing something wrong or their identity has been stolen? If so, do you have the processes in place to block these user accounts and prevent any further damage?
Have you noticed any other things that you’re worried of?
Let us help
Comping has worked on enabling access to a wide variety of different environments. We know what you should take in to account, whether you’re assessing your current status, designing a new environment or improving your existing one or deploying new environment or security measures.
Just reach out (kari.ruissalo@comping.fi) if you have any questions or comments!
Related articles
Microsoft “Privileged access security levels” https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-security-levels