What's Happening in Information Security

Control 8:  Controlled Use of Administrative Priveleges

How can this control be implemented, automated, and its effectiveness measured?

Previously, we shared how attackers exploit the lack of this control. Following is a very detailed list of processes and suggestions for monitoring and measuring this control to improve security effectiveness and efficiency. Intellitactics SIEM solutions offer many opportunities to prevent misuse of administrative priveleges.

For example: List of accounts with super user privileges is an important data source for the Intellitactics SIEM. This data is regularly correlated with other data/logs to enable management of privileged users. Many of the manual tasks suggested here can be automated using the Intellitactics SIEM. By automating the tasks, they can be monitored, reported and anomalies or deviations to policy can generate alerts or notifications to users and/or their managers. Summaries become reports that can be scheduled and distributed using the SIEM.

1.     Organizations should inventory all administrative passwords and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by

 a senior executive and that his/her administrative password has at least 12 semi-random  characters, consistent with the Federal Desktop Core Configuration (FDCC) standard.

2.      Before deploying any new devices in a networked environment, organizations should change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value.

3.     Organizations should configure all administrative-level accounts to require regular password changes on a 30-, 60-, or 90-day interval. This activity can be monitored by Intellitactics; additionally, physical security badge swipes or biometrics can be correlated with password use to determine if the owner is physically on premise for example.

4.     Organizations should ensure all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis as is done for traditional user and administrator passwords.

5.     Passwords for all systems should be stored in a hashed or encrypted format. Furthermore, files containing these encrypted or hashed passwords required for systems to   authenticate users should be readable only with super-user privileges.

6.     Organizations should ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet.

7.     Through policy and user awareness, organizations should require that administrators establish unique, different passwords for their administrator accounts and their non-administrative accounts. On systems with unsalted passwords, such as Windows machines, this approach can be verified in a password audit by comparing the password hashes of each account used by a single person.

8.     Organizations should configure operating systems so that passwords cannot be reused within a certain time frame, such as six months. This task can be automated using the Intellitactics SIEM solution. Users trying to reuse passwords are immediately identified and alerts or notifications can be sent to the user and their manager notifying them of the policy violation.

9.      Vis/Attrib: Organizations should implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior (e.g. system reconfigurations during night shift).  Enabled by Intellitactics SIEM

10. Vis/Attrib: Organizations should configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators group.  Enabled by Intellitactics SIEM

1.     Config/Hygiene: All administrative access, including domain administrative access, should utilize two-factor authentication.

2.     Config/Hygiene: Remote access directly to a machine should be blocked for administrator-level accounts. Instead, administrators should be required to access a system remotely using a fully logged and non-administrative account. Then, once logged in to the machine without admin privileges, the administrator should then transition to administrative privileges using tools such as sudo on Linux/UNIX, run-as on Windows, and other similar facilities for other types of systems.

3.     Config/Hygiene: Organizations should conduct targeted spear-phishing tests against both administrative personnel and non-administrative users to measure the quality of their defense against social engineering.

4.     Advanced: Organizations should segregate administrator accounts based on defined roles within the organization. For example, “Workstation admin” accounts should only be allowed administrative access of workstations, laptops, etc.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls: AC-6 (2, 5), AC-17 (3), AC-19, AU-22(4)

Procedures and tools for implementing this control:

Other Guidance: Built-in operating system features can extract lists of accounts with super user privileges, both locally on individual systems and on overall domain controllers. To verify that users with high privileged accounts do not use such accounts for day-to-day web surfing and e-mail reading, security personnel could periodically gather a list of running processes in an attempt to determine whether any browsers or e-mail readers are running with high privileges. Such information gathering can be scripted, with short shell scripts searching for a dozen or more different browsers, e-mail readers, and document editing programs running with high privileges on machines. Some legitimate system administration activity may require the execution of such programs over the short term, but long-term or frequent use of such programs with administrative privileges could indicate that an administrator is not adhering to this control.

Additionally, to prevent administrators from accessing the web using their administrator accounts, administrative accounts can be configured to use a web proxy of 127.0.0.1 in some operating systems that allow user-level configuration of web proxy settings. Furthermore, in some environments, administrator accounts do not require the ability to receive e-mail. These accounts can be created without an e-mail box on the system. To enforce the requirement for password length of 12 or more characters, built-in operating system features for minimum password length can be configured, which prevent users from choosing short passwords. To enforce password complexity (requiring passwords to be a string of pseudo-random characters), built-in operating system settings or third-party password complexity enforcement tools can be applied.

For more on SANS visit www.sans.org or schedule some time to talk with a Solutions Architect to learn how a SIEM sollution can make a difference for your team.