Restricting IT access and admin rights

In today’s digital landscape, cyber threats are becoming increasingly sophisticated. As was mentioned in our blog "The first 60 minutes - acting fast when cyber attackers strike", during the first few minutes of a cyber breach, attackers will tend to exploit the element of surprise to escalate their privileges, move laterally within networks and steal sensitive data.

Once they’re in, it’s very difficult to stop them, so the best option is to set up defences and restrictions before a breach happens to limit the opportunities for attackers. One of the most effective methods is to restrict IT access and administrative/privilege rights. If an account has its privilege level set too high, it could be a prime target for attackers; reducing unnecessary access rights can significantly lower the risk of breaches.

What is a privileged account?

This is a user account that has elevated or administrative access to an organisation's critical systems, data and resources, which can include servers, databases and applications.

While these accounts are usually reserved for IT administrators and have greater permissions than standard user accounts, thus making them a major security risk that requires strong safeguards and management, other user accounts may also have been set up with more privileges than they should have. 

What can privileged accounts do?

Unlike standard accounts, privileged accounts can make significant changes, such as installing software, modifying system configurations, creating or deleting user accounts and accessing sensitive data.

Who might have privileged accounts?

• Domain and local administrators will have broad control over workstations and servers in a network.
  

• Service accounts can run applications and services and have permissions to perform their specific functions.
  

• Application administrators have full control over specific applications.
  

• Emergency accounts are used only when it’s necessary to get immediate access to a system in the event of an unforeseen incident.

The importance of restricting access

When a cyber attack begins, whether that’s achieved through phishing, malware or insider threats, attackers will more than likely head for the privileged accounts to try and compromise them. IT industry studies have shown that as many as 8 out of 10 breaches involved compromised credentials, often linked to accounts that had too many privileges for their position.

If admin rights aren’t restricted, it increases what’s known as the attack surface - the total sum of all possible points where an unauthorised user can attempt to enter, extract data from or control a digital system. 

There are two main cornerstones of cybersecurity that all organisations should seriously consider when setting up defences and precautions against privilege escalation and lateral movement. 

The principle of Least Privilege

Also known as PoLP, this states that users, applications and systems should have only the minimum access needed to carry out their tasks and no more.

This means that if they’re compromised, the attacker will find it much harder to move beyond the account as there will be fewer (or even no) places for them to go. In a similar fashion, any malware that an attacker introduces into the system won’t be able to spread as far.

What are the benefits of PoLP?

As well as the advantages we’ve already noted, PoLP can also improve compliance as it will align with regulations like UK GDPR. It will also mean easier deployment and auditing of applications. So how can you implement PoLP in a way that will make your organisation more secure?

One of the most important steps is to carry out an audit of all privileged accounts regularly. People move on and job roles change; what was true and required six months ago won’t necessarily be the case now. The more regularly you audit, the more likely you are to spot and rectify out-of-date privileges.

You should also look at local admin accounts. These are user accounts on a single computer that have full administrative control over the computer’s files, settings and user permissions. Make sure that any unnecessary admin rights on those accounts are removed. Again, these may be legacy issues from a time when the account was used for things other than it requires now.

Take steps to separate standard and admin accounts.

This means creating a separate standard user account for daily tasks and a separate administrator account for administrative tasks like installing software or changing system settings. This limits the potential damage from malware or the risk of accidental changes, as the standard account has fewer privileges and any system-sensitive action requires administrative approval.

In addition, to support compliance with security schemes such as Cyber Essentials, local administrative accounts should be restricted to administrative functions only and not used for internet access, further reducing the risk of credential compromise or malware exposure.

Rotate admin passwords after each use.

While there isn’t a hard and fast rule on how often to rotate these passwords, it’s common practice to do so every thirty to ninety days.

How often this happens should be governed by the risk. Accounts that are more business-critical should be rotated more frequently. 

Factors to consider when setting a rotation frequency

• Security incident: Change the password immediately if you know or suspect it’s been compromised.

  
  

• Practicality: Balance the security benefits with the administration. Frequent rotation for every account can be time-consuming and potentially lead to less-secure password practices, This is because frequent password changes can lead to staff being lazy and not actually changing their passwords in a meaningful way. Instead, they just change their already memorised version slightly every time it expires. People are often predictable and threat actors know this, so old, exposed passwords, will be tried with common suffixes like “@123” or “!”

  
  

• Therefore, prioritise the accounts that are higher-risk. Low-risk accounts may only need rotation if a role changes, a user leaves the organisation or the account is compromised.

Monitor privileged activity for anomalies.

Cyber attacks are not always obvious, nor are they unprecedented. Some attackers will probe a system for weaknesses and vulnerabilities before starting their attack and this can often show up as anomalies that (on their own) mean little but taken as a whole, can point to both an impending breach and the area of weakness that it might exploit.

Role-based access control (RBAC)

PoLP is aimed at minimising unnecessary privileges and we’ve seen how that can work to frustrate or block a cyber attacker from roaming at will within a system. There’s also another safeguard that can be used to defend a system from attack: Role-Based Access Control (RBAC) 

This provides a structured way to enforce PoLP. It assigns permissions that are based on predefined roles rather than individual users. For example:

• A finance role could be given access to accounting systems but firewall settings would be restricted or blocked.
  

• A sales role could access CRM tools but HR records would be off limits.

There are several key areas where RBAC delivers in terms of security:

• Scalability: it can significantly simplify access management if the organisation is large and there are many accounts.
  

• Consistency: for many IT departments, the assigning of permissions is done individually and RBAC can help to reduce errors that might otherwise occur.
  

• Compliance: use of RBAC can help to ensure that your organisation meets the requirements set out by data protection regulators.

Best practices for restricting admin rights

Once you’ve decided that restricting admin rights is the way to go, what should you bear in mind when doing so?

• Make sure you use dedicated accounts for administrative tasks; everyday users should never have admin rights.

  
  

• Disable default local admin accounts. Attackers often target these types of accounts because they have unrestricted authority over the machine. Follow best practice and keep it disabled, using a separate, standard admin account for daily tasks.

  
  

• Just-in-time access: if elevated privileges are needed and the account holder has made a valid case for them, they should be granted only when needed, for the purpose specified and should be revoked immediately the need has been met.

  
  

• Continuous monitoring: make sure you keep an eye on what’s happening with account privileges, track and log everything that goes on so that if there is an incident or if you’re required to provide that information for an audit, you can do so at once.