Finally: Achieve True Principle of Least Privilege for Server Administration in Microsoft Environments

Similar documents
WHITE PAPER. Take Back Control of Your Active Directory Auditing

Understanding BeyondTrust Patch Management

WHITE PAPER. BeyondTrust PowerBroker : Root Access Risk Control for the Enterprise

Avoiding the Top 5 Vulnerability Management Mistakes

Three Ways to Secure Virtual Applications

Retina CS: Using Strong Certificates

WHITE PAPER. Improving Efficiency in IT Administration via Automated Policy Workflows in UNIX/Linux

BeyondInsight Version 5.6 New and Updated Features

Blackbird Management Suite Blackbird Group, Inc.

SecureIIS Web Server Protection Guarding Microsoft Web Servers

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Simplifying the Challenges of Mobile Device Security

PowerBroker for Windows

whitepaper Absolute Manage: Client Management Managing Macs in a Windows Environment

How Reflection Software Facilitates PCI DSS Compliance

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

7 Tips for Achieving Active Directory Compliance. By Darren Mar-Elia

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

SWOT Assessment: BeyondTrust Privileged Identity Management Portfolio

Sygate Secure Enterprise and Alcatel

How to Achieve Operational Assurance in Your Private Cloud

Meeting the Challenges of Virtualization Security

FREQUENTLY ASKED QUESTIONS

PowerBroker for Windows Desktop and Server Use Cases February 2014

Security Considerations for DirectAccess Deployments. Whitepaper

Deploy Remote Desktop Gateway on the AWS Cloud

Server Software Installation Guide

Introduction to Endpoint Security

Load-Balanced Merak Mail Server

October Application Control: The PowerBroker for Windows Difference

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

RDP Exploitation using Cain I will demonstrate how to ARP poison a connection between a Windows 7 and Windows 2008 R2 Server using Cain.

Controlling Remote Access to IBM i

Reverse Proxy Three Myths Busted

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Windows Least Privilege Management and Beyond

Locking down a Hitachi ID Suite server

Installing and Configuring vcenter Multi-Hypervisor Manager

Enabling single sign-on for Cognos 8/10 with Active Directory

Microsoft Lync Server 2010

Web Application Security

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Mobile Admin Security

/ Preparing to Manage a VMware Environment Page 1

Protecting Your Organisation from Targeted Cyber Intrusion

Does your Citrix or Terminal Server environment have an Achilles heel?

Server Installation ZENworks Mobile Management 2.7.x August 2013

How to Audit the 5 Most Important Active Directory Changes

Exporting IBM i Data to Syslog

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

OPAS Prerequisites. Prepared By: This document contains the prerequisites and requirements for setting up OPAS.

Maximize the Productivity of Your Help Desk With Proxy Networks Remote Support Software

Executive Summary P 1. ActivIdentity

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

STABLE & SECURE BANK lab writeup. Page 1 of 21

Inspection of Encrypted HTTPS Traffic

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Out-of-Band Management: the Integrated Approach to Remote IT Infrastructure Management

Virtualization and Cloud: Orchestration, Automation, and Security Gaps

Least Privilege in the Data Center

EXECUTIVE VIEW. CA Privileged Identity Manager. KuppingerCole Report

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

How To Manage A Privileged Account Management

Getting a handle on SharePoint security complexity

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Policy Management: The Avenda Approach To An Essential Network Service

Embarcadero Performance Center 2.7 Installation Guide

BeyondTrust PowerBroker Password Safe

RSA Security Analytics

How To Protect Your Network From Attack From Outside From Inside And Outside

Role Based Access Control: Why Groups Aren t Enough

ProductScope. JAMS Scheduler. commissioned by

Windows Server on WAAS: Reduce Branch-Office Cost and Complexity with WAN Optimization and Secure, Reliable Local IT Services

Management of Hardware Passwords in Think PCs.

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Reaching the Tipping Point for Two-Factor Authentication

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

SAST, DAST and Vulnerability Assessments, = 4

Deploying F5 to Replace Microsoft TMG or ISA Server

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Deployment Guide AX Series with Active Directory Federation Services 2.0 and Office 365

Secret Server Qualys Integration Guide

XIA Configuration Server

Optimization in a Secure Windows Environment

Access Your Cisco Smart Storage Remotely Via WebDAV

Transcription:

WHITE PAPER Finally: Achieve True Principle of Least Privilege for Server Administration in Microsoft Environments by Don Jones, Senior Partner and Principal Technologist, Concentrated Technology

Table of Contents The Problem with Administrators: Too Much Privilege 3 A Solution is Right in Front of Us - Almost 3 The PowerShell Opportunity 4 A Single Security Gate 4 Other Benefits of PoLP 6 PowerShell Adoption 6 Summary 6 About Don Jones 6 About BeyondTrust 7 2 2013. BeyondTrust Software, Inc.

The Windows platform has always struggled with administration and privilege. In its early days, Windows typically filled departmental and small-business niches, where one or two human beings needed to wield essentially unlimited power over their handful of servers. As Windows grew to fill roles in larger networks, both the OS and the server products built upon it did not always evolve to include more granular permission structures for administrators. The result has been an industry that, in general, relies on fully-privileged administrator accounts to accomplish even minor administrative tasks. We know it is a poor practice, but what else can we do? Fortunately, several different events and technologies are converging to provide an exciting new opportunity. The Problem with Administrators: Too Much Privilege The traditional problem with server administration has been that administrators simply have too much power. The well-known and established Principle of Least Privilege (PoLP; sometimes called Principle of Least Access or PoLA) states that a user s account should have only enough privilege to perform the task at hand. In reality, that would require administrators to have dozens and dozens of user accounts, each one carefully crafted permissions for various specific tasks. That is obviously impractical. Actually, it is often impossible, simply because server products rarely offer security settings that are granular enough to make such a thing possible. There is just no way to configure products permissions so that users can be restricted to perform very constrained, specific tasks and nothing else. This situation creates two unfortunate results. First, administrators typically use a single normal user account and a second all-powerful administrative account essentially, all or nothing when it comes to privilege. Second, it is often difficult to give every user in the organization the ability to do their jobs efficiently. Because products do not offer highly granular security, many users are prohibited from performing administrative tasks simply because they can t be given a user accounts that has less-than-total powers. In order to perform that one task, I have to give you permission to basically do anything, so I m not giving you permission to do anything. The industry s approach, thus far, has been scattershot. Individual Microsoft products address the problems in different ways. SharePoint Server has its own internal users and groups; Exchange Server has its own unique Role-Based Access Control (RBAC) system. SQL Server uses it own system of server and database roles. Every product is different, creating a mess that s difficult to configure, difficult to audit, and difficult to even figure out. Organizations often attempt to compensate through the use of home-grown tools. Administrators created scriptbased tools like HTML Applications (HTAs) and packaged PowerShell scripts that are run under a highly-privileged account, giving normal users a limited user interface with which to accomplish specific tasks. These are also a security nightmare: They often rely on hardcoded high-privilege credentials; they create ongoing maintenance overhead, and often offer little in the way of formal logging and auditing. They re hacks, brought about by necessity and the lack of truly granular permissions in the server products. That s why, in most organizations, Principle of Least Privilege is observed more in thought than in deed. A Solution is Right in Front of Us - Almost Administrators who create home-grown proxy tools tools that run with high levels of privilege but restrict their users capabilities by internally limiting what they can do actually have the right idea. In fact, there s a long history of thirdparty software vendors who create well-architected tools that use the same approach. Essentially, vendors create proxy administration servers. Administrators use the vendor s management interface, which provides its own granular permissions. The interface limits what admins can do, and the proxy service itself performs the actual actions under a highly-privileged account. Professionally built tools provide better management of highprivileged accounts, better audit trails, and so forth. 3 2013. BeyondTrust Software, Inc.

There have really only been two barriers to widespread adoption of this approach. First, it requires administrators to learn all-new management interfaces, rather than enabling them to use the native tools supplied by Microsoft. Second, and more importantly, you had to buy a separate tool for every little thing you wanted to manage: Active Directory, Exchange, SQL Server, and so forth. From a purely financial perspective, it just isn t practical. But that s changing. The PowerShell Opportunity We re entering an interesting new phase of server administration in Windows-based networks. After years of having every server product Exchange Server, vsphere, SharePoint Server, Windows Server itself, and so on have their own management tools and protocols, Microsoft is finally consolidating everything into Windows PowerShell, a.net Framework-based management engine. They re also whittling down the dizzying array of management protocols we ve had to deal with, moving all administrative communications to the protocol that underlies PowerShell Remoting. On the face of it, this new direction offers better consistency, better administrative reach, and better efficiency. But it s still not perfect. Administrators interact directly with PowerShell by running commands in a command-line interface (CLI); PowerShell also powers the more traditional graphical user interface (GUI) management consoles for these products. Nearly all of the Microsoft server line, and more than a few third-party server applications, offer at least some manageability through PowerShell. The important point here is that PowerShell acts as a kind of universal middleman for administration. Everything either is, or will be, instrumented through PowerShell. A key deliverable in PowerShell v2 was PowerShell Remoting, the ability of one PowerShell instance to connect to a remote machine, start a copy of PowerShell there, and transmit commands for the remote machine to run. Now, any management tool CLI or GUI that uses PowerShell as its engine can connect to one or more remote servers to execute commands. This promises to revolutionize server management by making administration more efficient and more scalable, and by moving responsibility for administrative communications from the management application to PowerShell itself. Think about it: Suddenly, developers can easily create management tools that talk to remote servers, simply by asking PowerShell to do it for them. Commands are sent to the remote server, the server executes the commands, and the results are either sent back to the originator, to be displayed as text in a CLI, or interpreted as icons and other graphical elements in a GUI. PowerShell Remoting is based on tried-and-true Internet technologies, including HTTP and HTTPS. It s easily routable through a corporate network and can be passed through firewalls with little difficulty. What s more, by using the native Windows authentication protocols Kerberos and CredSSP administrators credentials are delegated across the Remoting connection. That means Remoting is security-transparent: It adds nothing, and subtracts nothing, from the organization s security situation. An administrator can remotely perform whatever tasks they d normally be able to perform locally. And therein lies the problem. A Single Security Gate PowerShell and its Remoting technology create an opportunity to solve this problem because, for the first time, we re able to run all management communications through a single pipe. Think about it: Whether they re running commands in a shell, running a script, or using a GUI, administrators are using PowerShell. When those management tools need to talk to a server, they re doing it over Remoting. It s one channel, and it creates an opportunity for us to imagine a 4 2013. BeyondTrust Software, Inc.

security gate. No longer do we need to build an all-new management interface to provide more granular administrative permissions. Instead, we can simply intercept actions at the common PowerShell level. Although Remoting itself is security-neutral, we can intercept Remoting to add a universal, more granular layer of security to administrative activities. In other words, rather than sending PowerShell commands from an administrator s workstation directly to a server, we could send them first to a middleman, which could examine the commands being run and apply however granular a security system we want. It could decide which commands actually have to execute, essentially layering a more detailed set of security permissions on top of products native ones. Such an approach would also solve a nascent concern about PowerShell Remoting: Auditing. Natively, PowerShell has no means of forcing administrators to leave a record of the commands they execute on remote servers. With a middleman approach, the security gate could not only examine commands and apply granular security permissions, but also log each command that was run, creating an audit log capable of satisfying the most demanding and rigorous auditor. This isn t a pipe dream. The strides made by Microsoft product teams for Exchange Server, SQL Server, System Center, SharePoint Server, and more are making this a reality right now. The reality is even more compelling when you realize the number of third party vendors like IBM, VMware, Cisco, Citrix, and so on who ve also jumped on the PowerShell bandwagon. POWERBROKER SERVERS WINDOWS EDITION BeyondTrust has been a player in the privilege management space for years, and they ve combined their experience with the opportunity offered by PowerShell and its Remoting technology. PowerBroker Servers Windows Edition approach consists of three parts: The administrator s workstation. This actually just runs a standard, unmodified copy of Windows PowerShell, but it s configured to send PowerShell s HTTP Remoting traffic through a proxy server. This proxy configuration only affects PowerShell traffic, and it s configured using standard, supported Windows networking mechanisms. The proxy server. This acts as a gateway, examining each incoming remoting request and determining if that administrator is allowed to connect to the specified server or not. It s essentially a kind of firewall, denying all traffic by default and only passing along Remoting traffic that is explicitly allowed by a configured policy. The server. Again, this runs a standard installation of Windows PowerShell that s been extended by a PowerBroker Servers agent, and which is run under a centrally-managed, highly-privileged account. PowerShell receives the Remoting traffic from the proxy server, and the agent examines each command that is received. The agent communicates with the PowerBroker server to see if that administrator is allowed to run that command, and handles logging of commands as well. The agent is smart enough not to accept Remoting connections that don t come through the proxy, ensuring the system isn t bypassed. The beauty of this approach is in its elegance. PowerShell Remoting is designed to work through HTTP proxy servers when necessary; PowerBroker Servers simply leverages that design to insert some security-focused intelligence into the process. By intercepting all PowerShell traffic, PowerBroker Servers becomes a security gate much like a firewall. Its agent can be configured with incredibly detailed permissions, all the way down to individual command parameters. Joe can run this command with any parameter; Nick can run the command, but he can t change these three parameters from their defaults. It also creates the most detailed-possible log of all administrative activity. This level of granularity for server management has frankly never been possible in a Windows-based environment but because PowerShell is being adopted by so many third-party software vendors, it isn t limited to just Microsoft products. VMware vsphere, IBM, Cisco, and many other vendors all offer products that include PowerShell-based manageability, 5 2013. BeyondTrust Software, Inc.

and the list will only grow longer as time goes on. Other Benefits of PoLP Most organizations continue to rely on basic password authentication even for highly privileged administrative accounts. We re all aware that passwords are far from the strongest, most secure means of authentication; we use them because they re easy, cheap, and convenient. The problem is that a compromised administrative password can give an attacker full access to the entire environment. With true Principle of Least Privilege implemented in your environment, you can significantly mitigate the risk associated with a compromised password, simply because user accounts even administrative ones can have much more constrained, granular privileges. PowerShell Adoption PowerBroker Servers approach to PoLP does rely on PowerShell, which means in order for it to be effective, PowerShell needs to be leveraged by key servers and business applications within your organization. PowerShell v2 is a mature, stable product, and is available for Windows XP, Windows Server 2003, and later. It is installed by default on Windows 7 and Windows Server 2008 R2; as those versions of Windows are deployed within your organization, you essentially get PowerShell for free. Going forward, future versions of Windows both client and server will have PowerShell installed by default, as well as having Remoting installed and enabled by default. Keep in mind that even organizations who don t interact directly with PowerShell s CLI will still use PowerShell, and Remoting, as they re the underlying administrative engine and communications technology that powers Microsoft s next-generation GUI consoles. That means any organization moving to Microsoft s current- and next-version Windows operating systems can leverage PowerBroker Servers solution for PoLP implementation. Summary Microsoft s move toward a single technology PowerShell for administrative functionality, and their consolidation to Remoting as an administrative communications protocol, creates a significant new opportunity for security and auditing. By utilizing PowerShell as a security gate, and by proxying its traffic through an appropriate middleman server, organizations can gain both highly granular control over permissions and incredibly detailed audit logs of administrator activity. These capabilities are beyond the various security mechanisms native to Windows and to server applications, giving organizations the ability to truly and finally achieve the granular security permissions and detailed logging that they ve always wanted. About Don Jones Don Jones, Senior Partner and Principal Technologist, Concentrated Technology Don has more than a decade of professional experience in the IT industry. He s the author of more than 35 IT books, including Windows PowerShell: TFM; VBScript, WMI, and ADSI Unleashed; Managing Windows with VBScript and WMI; and many more. He s a top-rated speaker at conferences such as Microsoft TechEd and TechMentor, and writes a monthly column for Microsoft TechNet Magazine. Don is a multiple-year recipient of Microsoft s Most Valuable Professional (MVP) Award. 6 2013. BeyondTrust Software, Inc.

About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES 1.800.234.9072 sales@beyondtrust.com EMEA SALES Tel: + 44 (0) 8704 586224 emeainfo@beyondtrust.com CORPORATE HEADQUARTERS 550 West C Street, Suite 1650 San Diego, CA 92101 1.800.234.9072 CONNECT WITH US Twitter: @beyondtrust Facebook.com/beyondtrust Linkedin.com/company/beyondtrust www.beyondtrust.com 7 2013. BeyondTrust Software, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information