Protecting elevated authentication credentials is one of the best defense-in-depth strategies any company can deploy.
In today’s pass-the-hash, pass-the-Kerberos-token, steal-any-credentials world, preventing credentials from falling into the wrong hands can be the entire battle. Identity is security. If an identity and its authentication credentials get into the wrong hands, often enough, it’s game over.
For decades we’ve told people not to stay logged in as admin or root all the time. Alternatively, they should have two accounts: one for regular user duties (email, browsing the Web, and so on) and another elevated one for administrative duties.
That’s the old way of thinking. Today’s advice includes using just-in-time credentials, two-factor authentication, and least-privilege delegation.
Minimize permanent membership
Start by minimizing the number of permanent members of any elevated group as much as possible. The Holy Grail is zero members of any elevated group. If you can’t get to zero, get to near zero. Your processes, tools, services, and applications should be able to work in a world where no one needs to be an elevated admin all the time. This is the 21st century, after all.
Use two-factor authentication
Many companies have been compromised because their users and admins either had their credentials phished away or they reused a password on both corporate and unrelated, third-party sites and services. The bad guys break into the third-party site, then see if they can reuse stolen credentials on the corporate network.
That’s why anyone who can be elevated to do something administratively should be required to use two-factor authentication (or better) to log on in. Two-factor authentication doesn’t provide as much protection as most people think (for example, pass-the-credential attacks are still viable), but they help, mainly because admins can’t be phished out of a plaintext password or PIN anymore.
Delegate, delegate, delegate
Even in a Holy Grail environment of zero permanent admins, admins are needed -- or more precisely, people who need to perform administrative-level tasks are needed. But we need to make sure most of those administrative tasks are performed by people who are less than full admins.
Most administrators do not need everything a full admin credential gives them. Some tasks absolutely require full admin privileges, but those scenarios are not typical. In the majority of cases, an elevated credential can be a “delegated” permission or privilege, while still remaining least privilege -- only the bare essential access to do the job. Even then, it should be accorded only while needed.
Implement just-in-time credentials
I’m a huge fan of systems that give users elevated privileges and permissions for only as long enough for them to perform their admin duty -- after which they’re taken away. These are known as just-in-time systems.
A decade or so ago the idea of delegated, just-in-time was promoted as the best access control model in what is known as role-based access control. I’ve been a believer of it ever since. The idea was that the application developers are the only ones who really know which rights and permissions are needed to perform a particular application task.
Developers figure out what’s needed and hard-code those various permissions and privileges to particular tasks, which are then collected into particular application roles. Users and application administrators place application users into various application roles; those users are then allowed to perform these predefined tasks while in the application and only while in the application.
To assign permissions and privileges any other way is really a bit insane. How did our computer networks evolve so that network administrators are the ones who guess at and assign permissions? They aren’t the application owners -- and are almost never the masters of every application -- yet they’re expected to outthink application developers about who needs which rights and permissions.
I’m fairly confident that role-based access control will be the ultimate and only access control model we all use. But we're struck in another critical transition between what we have and what we will eventually have. Until then, just-in-time, two-factor, least-privilege delegation is the way to go. I don’t care how you get there. It can be a program that does all the behind-the-scenes work for you, or you can do it manually or using scripts. How you get there is not as important as getting there.
Require armor-plated boxes
A recent addition to the just-in-time model is the new requirement that all administrative credentials are entered, and all administrative tasks performed, only on very secure computers. No more logging on as admin to your regular computer, which could be already compromised by malware or a hacker. Nope, admins should be restricted to using only dedicated computers (physical computers are better than virtual machines). The systems they connect with should accept admin connections from only these secure computers.
Secured computers should not have an Internet browser or be allowed to initiate or accept connections from the Internet (or only allowed to accept connections from a small set of predefined sites). Application control software should restrict which programs the admin can run -- and only a small set of software programs should be on that list.
What secure administration really means
Administrators should use the most secure admin methods possible. Logging on to other computers in a way that leaves credentials hanging around for the hacker to steal should be forbidden or minimized. If possible, admins should use remote methods that do not send stealable credentials at all. Get your admins out of the habit of using GUIs that require full local or remote logons.
I’m not unique in offering this advice. This, and more, is recommended by many organizations. Heck, some companies have been running this way for decades.
My only somewhat new suggestion: Your secure admins running on secure admin workstations should also include all your application admins. Data theft doesn’t require a hacker to steal operating system admin credentials. Often, all that’s needed is the access of a regular user. I’ve seen some applications with dozens to hundreds of all-powerful admins. Do they need that power? Are they properly protected? Almost never in both cases.
Credentials are the main battlefront in our ongoing computer security war. Deploy everything you have to protect them.