Do Your Admins Hold the Keys to the Kingdom?

Are your admins holding the keys to your network’s kingdom? No, this isn’t some fairy tale where the admins are dark wizards with magical powers over your enterprise, but it might as well be just as dangerous. Many administrators aren’t aware of the damage they can cause with the permissions they’ve been granted, either malicious or not, and we need the ability to monitor these privileged accounts for the risk they introduce.

Insider threats are a big deal, either voluntary or involuntary, and without knowing what our administrators are doing a big part of this risk is left completely to chance. There have been horror stories over the past couple years of admins holding companies hostage, stealing confidential data, or the more common occurrence of a risky change to your network , like opening a hole in your network to allow NetBios ports externally, with or without permission.

First off do you know who has admin access in your organization? This is a question that if asked to management they’d most likely not know. How can you be certain that those that require and have been approved access, are the only ones that have it? There needs to be constant monitoring of administrator groups and privileges to prevent risky changes and rogue admins from compromising your network. Many people end up becoming admins because it’s just easier to give someone more access than it is to fix the actual problem. Laziness is a huge problem that doesn’t help security. Knowing when an admin group is changed or when a new administrator is created is something your security team would want to know.

Secondly, do we know what changes our admins are making on a daily basis? Are these changes approved by a change management procedure, and have they been reviewed for potential risk? It’s one thing to have a change approved, but yet another to have it verified for risk. We’ve all seen changes that have gone through the approval process to only end up causing more issues. Risk management needs to be grafted into your admins’ changes, and there are some systems and procedures that can help make this much simpler and mitigate some of the accidental changes that cause more trouble than they’re worth. Also, being alerted of admin changes is a good way to monitor what’s occurring on your network. The issue here is tying the change to an authorized approval. Many systems try to do this, but only few really succeed in certain aspects.

We need to become better at knowing what our admins are doing, for both auditing and protection of our environment. It’s not that we don’t trust them; it’s that we have a job to do and protection of data is key. For example, if a firewall administrator is opening a port, does management really know the risk to their environment after approval? Say this firewall admin is opening a port for a new software application that unknowingly creates a hole into your PCI zone. Isn’t this something you’d want to know… before it was approved? You’re darn right you would. Having systems that scan for changes, like in this firewall change scenario, and tie them back for risk and even compliance is a huge win for management and engineers.

Lastly, are your admins using their domain or administrator credentials for everyday use? Are Windows domain admins logging into their workstation as domain admins or as regular users? There’s no reason that someone with domain admin credentials should be logging into their workstations every day to read their mail and browse the web. This is an accident waiting to happen. All administrator accounts need to be separated from every day use. Domain admin credentials should be used for one thing, administrating a Windows domain or system. They’re not to be used for common use where they can be compromised, and used against you. If you’re browsing a malicious site or fall for a phishing scam your complete network has just been compromised. Also, separating administrator accounts will give you a much easier time of reporting on actual administrator activity.

Knowing who, what and when your administrators are logged in and making changes is an important aspect of information security. Monitoring for these changes, and who has access is a way to reduce the risk that can be caused by either accidental or malicious changes. As I mentioned before it’s not that we don’t trust our admins, it’s just that we’re not in the business of trusting.