One Admin Account to rule them all
Identities have become the new security boundary of the modern online world, no longer do we rely on the corporate firewall to keep our businesses safe. So, as administrators, we are very quick to impress upon our users and customers the importance of personal responsibility for the security of their identities. We have so many tools at our disposal to try to protect their identities from bad actors like MFA, Password complexity tools, password managers, and even passwordless sign-on and biometric verification. This blog is not about the protection of our users' identities though, but it does set the stage for what I want to talk about: us admins!
Yes, compromised user accounts can cause breaches and data exfiltration and a cleverly crafted attack on a user's personal device can provide a malicious actor with unauthorised access to a network. But it is the admins and how we govern the administrative account structure that determines how quickly and easily these types of attacks can turn to complete disaster.
As early as I can remember in my IT career, there was always that “Lord of the Rings” style administration account. The one that ruled them all, or the “god” account. This admin account held in secrecy was only known and used by those closest to the Network Administrator.
Now more than 30 years later, I find this practice is still often used but it has actually created a serious security issue. Whilst there are still shared admin accounts that rarely have their passwords changed, the number of people that have access to permissions that they don't actually need 99% of the time or at all has increased. Either of these practices can magnify the extent of damage a potential breach could cause.
How can administration accounts and access be made more secure?
The good news is that Microsoft has great documentation outlining best practices for securing an Active Directory Domain. In it, Microsoft includes several recommended articles on how to stop the built-in admin accounts from being abused and how you can actively reduce Active Directory’s attack surface. I strongly recommend that anyone reading this blog should read these articles.
What I don’t think gets talked about enough is the practice of creating a governance strategy for administrative boundaries for a network. In layman’s terms, this means that IT professionals should consider not just how they secure administration accounts but what admin accounts they truly need and how much access each account or individual user requires within their IT systems, to begin with. Admin accounts that present a higher risk of being compromised like “workstation administration” should be limited to just that. Adding additional protection like Microsoft LAPS to local privileged accounts also helps to reduce the risk if a password is exposed. This limits the onward damage that can be done if these accounts are compromised by a malicious actor.
This is not proprietary to a Microsoft Active Directory domain. This can be applied to any system, whether hosted on-prem or in the Cloud or owned by Microsoft or otherwise. In fact, role-based access control and Just-in-Time access have gone a long way to improve security access and authorisation for Cloud services but that subject could warrant an entire blog alone so I’ll stop there.
My advice for those administrators reading this blog is to give more thought to creating administrative boundaries and how to use and manage accounts within them, for example;
- Administrators of local machines
- Administrators of users in particular OU’s
- Administrators of application servers
- Administrators of the domain
An administrator should never use their domain admin (“God account”) to administer a local user's machine or application server. Why? Well, it is possible that this machine could already be compromised with a key logger or be compromised in the future and the cached password is cracked. This malicious actor now has the keys to the kingdom, and I'll guarantee it doesn’t end well for anything or anyone reliant on the IT infrastructure. Hackers often torch networks before they leave them hoping to cover their tracks.
Check out this podcast from Darknet Diaries if you think what I am saying is too far fetched.
Looking at these boundaries, we can see clear administrative purposes and how separating them could help reduce an attacker's ability to move laterally in a network. I would like to add that this also extends to common hybrid environments like Microsoft Active Directory and Office 365. No single account should have admin privileges in both systems.
Yes, this type of governance does create overhead for administrators and even more complexity for Managed Service Providers but there are solutions for managing and monitoring access to systems that provide the exact access that people need, and only for the time they need it, but sadly, these tools do tend to be too costly for many.
In any case, a simple governance plan for admin accounts should be part of any network design and precede the deployment of even the first domain controller. Get that right and you could save yourself so many potential headaches.