Passwordless administration refers to the ability to perform administrative functions on an endpoint without the need for privileged or administrator credentials. Passwordless administration is a simple concept with huge ramifications for securing an organization. The primary goal is to remove administrative rights from any and all users, while still allowing them to execute necessary operating system tasks and use applications that require administrative rights.
When applying passwordless administration, administrative tasks can be “trusted” to users and assets without provisioning additional credentials. The technology can work below the entitlement and privilege capabilities of the application and operating system to make them execute with the proper privileges necessary, including network authentication, for complete user transparency. An additional benefit of a passwordless strategy is that it provides complete application control over all operating system functions and third-party applications without using cumbersome methodologies based on file hashes. This ensures that nothing inappropriate executes with unauthorized privileges—even for applications that may be compiled by developers or a part of a CI/CD DevOps scripting process.
In this blog, I’ll cover the fundamentals of passwordless administration in more detail, including why/when it’s needed, how it works, and how to implement it.
The Case for Passwordless Administration
The mushrooming quantity of administrative accounts with excessive privileges makes them an easy and favored target for threat actors. Each of these admin accounts is an attack vector that offers a successful attacker administrative capabilities over the entitlements to which the admin account is assigned.
Typically, administrative accounts are assigned with privileges en masse, since administrative functions are needed by end users all the way through true system, network, and database administrators—the accounts that often have access to the organization’s most valuable information (trade secrets, etc.).
Unfortunately, administrative/superuser accounts are also often assigned to regular end users so they can add a printer, run a specific program, or even change network settings.
Consider the following applications and tasks that still need administrative rights on a standard Windows endpoint:
- The ability to modify system settings or change operating system features within Windows Settings or Control Panel
- The ability to install or uninstall applications
- The ability to edit the registry, or modify files within the Windows operating system or protected files within program files
- The ability to execute programs that require administrative rights based on how they are compiled or their interaction with the operating system, network, or file system
- The ability to execute programs that have their own update mechanisms to provide the latest versions for security and features
- The ability to install browser plug-ins and extensions
All of the above are valid use cases, administrative functions, and require administrator credentials to perform the tasks. While modern Windows systems have made huge headways in managing privileges, in a typical day, a user will need to have administrative rights to perform any of these functions. Typically this is granted by issuing a secondary administrator account for the host, or worse, just making their current credentials a local administrator. The outcome for both of these choices is high-risk configurations that greatly expand the threat surface of malware, ransomware, and malicious behavior. The dilemma becomes how to remove administrative credentials from both personas to mitigate the risks from a threat actor targeting these accounts. The answer is relatively simple--passwordless administration, which can enable users to perform these job-related functions without requiring any additional credentials or introducing unnecessary risks.
With privileged credentials implicated in 80% of breaches (according to Forrester Research), the elimination of privileged passwords wherever possible greatly reduces the threat surface. This premise is further buttressed by the fact that 77% of Microsoft critical vulnerabilities can be mitigated by the removal of admin rights, and a similar reduction is also demonstrable by enforcing least privilege on third-part applications.
Every endpoint security strategy should consider using passwordless administration as layer of security after antivirus to mitigate the most prevalent privileged attack vectors. This approach precede the implementation of any EDR, MDR, or XDR strategy—or even the use of dedicated web proxy and protocol inspection technologies. Why? Because simply by removing administrative rights and enforcing reputation-based application control, and huge threat surface can be eliminated outright or at least condensed. This includes for such threats as dangerous payloads and fileless malware.
Passwordless Administration Defined
Passwordless administration is a use case offered via Privileged Access Management (PAM). While PAM is traditionally thought of as privileged password and session management, endpoint privilege management, and secure remote access, passwordless administration bridges the gap across all three to allow any user to perform a specific administrative task without explicitly entering additional administrative account credentials. This is different than passwordless authentication, which provides a confidence formulated from user-based attributes or biometrics to approve an authentication request.
The concept of passwordless administration is generally linked to just-in-time (JIT) privileged access management, since the methods of applying passwordless administration can cover several technologies to temporarily elevate the user or the application (preferred method) for the specific requested task. In other words, in lieu of entering secondary administrative credentials for a task that requires elevation, the user is trusted based on context (or attributes) to run the application in an elevated state—without an additional challenge and response mechanism.
As an example, consider a user who has been authenticated on a resource. The authentication could be based on standard user credentials, multifactor authentication, single sign on, etc. The authentication confidence and context is important for granularity of permitted tasks, but in this case, just accept that the end user was authenticated to the resource and that they are not authenticating using administrative credentials.
When the end user (or administrator) attempts to execute a program, run a command, or make an operating system change, security best practices dictate they should not be permitted to continue without some form of challenge and response to prove they have administrative rights. This is typically performed by the end user supplying additional credentials, in the form of administrative credentials, authorizing them to perform the request action. This is common point of attack where a threat actor will home in to steal credentials.
So, what if the confidence of initial authentication is high and the requested task “just works” without the additional challenge and response? The user has already been proven to be who they say they are, and the resources they want to execute or modify on particular assets have been preapproved (even wild-carded) for them to interact with. That workflow is passwordless administration. Specific administrative functions are assigned to users and assets based on policies and using technology—the user operates as an administrator or root without entering secondary administrator credentials. In addition, in lieu of credentials, a simple justification in plain text may be requested and documented for privileged events to meet regulatory certification requirements for privileged activity.
Benefits of Passwordless Administration
Since, with passwordless administration, there is no need to enter administrative credentials to perform the admin functions, then there is no need to give any user (whether administrator or other user) administrative credentials to perform these tasks. Consequently, the credentials can be deleted or removed from your directory services, thereby eliminating a significant attack vector—and without impacting the user experience. That is a substantive benefit of passwordless administration--the combination of least privilege, administrative functions, remote access, and password management to perform administrative functions without the need for additional credentials. This also includes the elimination of shared credentials when the method to perform administrative tasks elevates applications (not users) using techniques like tokenization, which are fundamental to the concept of just-in-time PAM. Again, the upshot is that there are ultimately no administrative passwords for a threat actor to steal.
Let me also share a recent anecdote. During a strategic briefing, the CISO of a leading systems integrator shared that his organization had achieved a 95% decrease in service desk calls as a result of malware infections simply by implementing a passwordless administration approach. That potential for passwordless administration to massive reduce risk, while freeing up the service desk to handle other projects or issues, should warrant any CISO or IT security personnel’s attention.
How to Implement Passwordless Administration
Passwordless administration only requires two preliminary steps within any organization to move it from concept to reality:
- Identify which tasks require administrative privileges to operate
- Identify which users need to execute them.
Then, passwordless administration can be applied based on features available in many operating systems (albeit they are limited) or by deploying a privileged access management solution for your environment.
Passwordless Administration Methods
Passwordless administration can come in a variety of forms and support zero trust architectures, software-defined perimeters, and change control best practices for any environment. Consider following security controls:
- Zero Trust: All applications are considered block listed unless explicitly allowed based on attributes, and the privileges for execution are strictly controlled. Detailed logging is provided for all privileged activity and application privileges are elevated, never the end user, to ensure the control and data planes for zero trust remain completely separate.
- Software-Defined Perimeter: All applications and user privileges are controlled on the endpoint for maximum endpoint security. The software executing on the endpoint actually becomes hardened as a part of your software security strategy. This includes controlling functions like blocking child processes and attribute based context control for application runtime (i.e. allowing an application to run while in the office, but blocking it when run at home or on a wireless network).
- Change Control: All application execution and modifications, including software updates, can be controlled with complete integration into an ITSM solution to ensure no inappropriate activity, changes, or malware infects the system.
- Reputation Services: Application control can be performed by attributes and verified against third-party sources and origin of the executable to ensure that no malware is present.
If you consider the context of all of these security controls, it is possible to perform passwordless administration based on rules and policies for operating system tasks and applications that need administrative rights. The key to effectively implementing this strategy starts with a universal privileged management approach to privileged access management. Management, information technology, and information security professionals must agree that a user should not have local administrative rights, and all and users should operate with standard user privileges. Then, policies and rules can be set in place to perform elevation for the proper tasks using industry standard best practices for endpoint privilege management.
To learn how BeyondTrust’s PAM platform can enable you to implement passwordless administration, save on service desk costs, and lower enterprise-wide risk, contact us today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.