It's a security best practice to remove administrator rights from end users, so they are reduced to standard user privileges on their local workstations. I think I can get universal agreement across the IT security profession regarding this practice. But how organizations go about achieving it can make all the difference for productivity and risk avoidance.
One common method involves creating two accounts for an identity, but, when it comes to the typical non-IT user, this approach presents serious shortcomings. For a typical end user, this type of separation of privilege means having a standard user account to log into their workstation, and an administrative account with a different password to perform any type of privileged activity. This could include anything from installing a new printer or changing the system clock, to running the update programs for Adobe or Java-based applications.
In this approach, the format for the administrative account is typically a derivation of the standard user name and adds a prefix or suffix of “x-“ or “admin-“, making any intended obfuscation of the credentials a moot point. This is a minor security risk that is acceptable to most organizations but a risk nonetheless. For this typical user, when privileged tasks occur on their workstation, the Microsoft Windows or Apple MacOS operating system will prompt for credentials via UAC (Universal Account Control) or Security Credentials respectively. This prompt requires them to enter their privileged credentials into the dialogue and click “ok” before any privileged activity can transpire. Below are typical examples of these prompts on Windows:
While many users have become accustomed to this approach, it ultimately inserts a needless step that not only impairs productivity, but also creates additional security risks. In this blog, I’ll break down the security and productivity shortcomings of the dual account approach—and then explain how BeyondTrust’s Endpoint Privileged Management solution can save money, lower risks, and reduce the complexity of maintaining two accounts for every identity.
To start, BeyondTrust’s Endpoint Privileged Management solution is a least privilege product designed to eliminate the need of having administrative or root credentials on an endpoint in order to execute applications or perform operating system tasks. A standard end user can be granted privileges via rules and policies to elevate specific applications and tasks that require administrative rights without prompting (optional) the end user for credentials.
Endpoint Privilege Management’s primary function is to elevate the application—not the user—to perform these functions, eliminating the need to create two accounts for every identity. The BeyondTrust solution performs these actions in the context of a custom security token—not through a traditional “RunAs” or “Impersonation” account. The goal is to enable the end user to perform the tasks their Role delegates, but without the risk of maintaining secondary administrative credentials. And, even ad-hoc tasks that may not be re-occurring can be delegated to a workflow to ensure no loss in productivity, while capturing data on all privileged activity with the fidelity needed for regulatory compliance and audits.
So, just what are the risks and loss in productivity involved with using a two-account privileged account model?
- Memory-scraping malware: When using a secondary account for privileges, the administrative password is stored in memory after it is entered. This means it’s susceptible to attacks like Pass-the-Hash and exploitation tools like Mimikatz. When using an endpoint least privilege solution, the application is elevated using a custom token, making it immune to these exploitation techniques as well as reuse in other common privileged attack vectors.
- Loss in productivity: Each time a privileged activity occurs, the end user must spend time entering their privileged credentials in a UAC prompt. If this happens frequently, it adds up over time to a significant loss in productivity as well as an annoyance. When using our endpoint least privilege solution, there is no UAC prompt, and the application or task runs elevated without any additional end-user interaction—just like any other application. The end-user experience is exactly the same as if they actually logged in with administrative credentials (bad idea) and everything “just works”.
- Resources: When implementing a dual credential privileged account model, every potential identity (user) has a minimum of two accounts. This doubles the quantity in Active Directory and doubles the number to ultimately manage. In some cases, it could even impact a solution’s licensing since it doubles the number of active accounts for procurement. Consolidating down to a single account per identity simplifies every process, from identity governance to certification reporting. This alone should increase productivity just because it is less to manage. And, the cyber risk is further lowered by not exposing any predictable, easily guessed privileged account usernames to a threat actor.
For many organizations, security and operational solutions are only licensed when they can mitigate risk, save money, or help generate revenue. BeyondTrust’s Endpoint Privileged Management solutions can easily satisfy these first two requirements, and an argument can always be made that by nailing down security and clearing away productivity obstacles, you give an organization and its people confidence to take on new business initiatives along with greater ability to focus on what drives revenue and other measures of business success.
For more information on how BeyondTrust can solve the dual privileged account model per identity, please contact us today. The risks and loss productivity are something every organization can start to move the needle on today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.