Passwordless Administration Explained

Passwordless administration is a simple concept with huge ramifications for securing an organization. Administrative tasks can be “trusted” to users and assets without provisioning additional credentials, and technology can work below the entitlement and privilege capabilities of the application and operating system to make them execute with the proper privileges necessary, including network authentication, for complete user transparency.

In this blog, I’ll cover the fundamentals of passwordless administration in a bit more detail, including why/when it’s needed, how it works, and how to implement it.

The Case for Passwordless Administration

The mushrooming quantity of administrative accounts with excessive privileges makes them an easy and favored target for threat actors. Each of these admin accounts is an attack vector that offers a successful attacker administrative capabilities over the entitlements to which the admin account is assigned.

Typically, administrative accounts are assigned with privileges en masse, since administrative functions are needed by end users all the way through true system, network, and database administrators—the accounts that often have access to the organization’s most valuable information (trade secrets, etc.).

Unfortunately, in many organizations, administrative accounts are also assigned to regular end users so they can add a printer, run a specific program, or even change network settings. All of these are valid use cases, administrative functions, and require administrator credentials to perform the tasks. The dilemma becomes how to remove administrative credentials from both personas to mitigate the risks from a threat actor targeting these accounts. The answer is relatively simple, passwordless administration. With privileged credentials implicated in 80% of breaches (according to Forrester Research), the elimination of privileged passwords wherever possible greatly reduces the threat surface.

Passwordless Administration Defined

Passwordless administration is a use case offered via Privileged Access Management (PAM). While PAM is traditionally thought of as privileged password and session management, endpoint least privilege, and secure remote access, passwordless administration bridges the gap across all three to allow any user to perform a specific administrative task without explicitly entering additional administrative account credentials. This is different than passwordless authentication, which provides a confidence formulated from user-based attributes or biometrics to approve an authentication request.

The concept of passwordless administration is generally linked to just-in-time (JIT) privileged access management, since the methods of applying passwordless administration can cover several technologies to temporarily elevate the user or the application (preferred method) for the specific requested task. In other words, in lieu of entering secondary administrative credentials for a task that requires elevation, the user is trusted based on context (or attributes) to run the application in an elevated state—without an additional challenge and response mechanism.

As an example, consider a user who has been authenticated on a resource. The authentication could be based on standard user credentials, multifactor authentication, single sign on, etc. The authentication confidence and context is important for granularity of permitted tasks, but in this case, just accept that the end user was authenticated to the resource and that they are not authenticating using administrative credentials.

When the end user (or administrator) attempts to execute a program, run a command, or make an operating system change, security best practices dictate they should not be permitted to continue without some form of challenge and response to prove they have administrative rights. This is typically performed by the end user supplying additional credentials, in the form of administrative credentials, authorizing them to perform the request action. This is common point of attack where a threat actor will home in to steal credentials.

So, what if the confidence of initial authentication is high and the requested task “just works” without the additional challenge and response? The user has already been proven to be who they say they are, and the resources they want to execute or modify on particular assets have been preapproved (even wild-carded) for them to interact with. That workflow is passwordless administration. Specific administrative functions are assigned to users and assets based on policies and using technology—the user operates as an administrator or root without entering secondary administrator credentials. In addition, in lieu of credentials, a simple justification in plain text may be requested and documented for privileged events to meet regulatory certification requirements for privileged activity.

Benefits of Passwordless Administration

Since, with passwordless administration, there is no need to enter administrative credentials to perform the admin functions, then there is no need to give any user (whether administrator or other user) administrative credentials to perform these tasks. Therefor, the credentials can be deleted or removed from your directory services, thereby eliminating a significant attack vector—and without impacting the user experience. That is a substantive benefit of passwordless administration--the combination of least privilege, administrative functions, remote access, and password management to perform administrative functions without the need for additional credentials. This also includes the elimination of shared credentials when the method to perform administrative tasks elevates applications (not users) using techniques like tokenization, which are fundamental to the conceps of just-in-time PAM. Again, the upshot is that there are ultimately no administrative passwords for a threat actor to steal.

How to Implement Passwordless Administration

Passwordless administration only requires two preliminary steps within any organization to move it from concept to reality:

Identify which tasks require administrative privileges to operate
Identify which users need to execute them.

Then, passwordless administration can be applied based on features available in many operating systems (albeit they are limited) or by deploying a privileged access management solution for your environment.

To learn how BeyondTrust’s PAM platform can enable you to implement passwordless administration, contact us today.

Morey J. Haber

Chief Technology Officer, Chief Information Security Officer, BeyondTrust

With more than 20 years of IT industry experience, and author of Privileged Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing privileged access management, remote access, and vulnerability management solutions, and BeyondTrust’s own internal information security strategies. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science in Electrical Engineering from the State University of New York at Stony Brook.

Up next

From July 9, 2019:

July 2019 Patch Tuesday

From July 13, 2019:

CVE-2014-3515 Update for Remote Support Users

You May Also Be Interested In:

Webcasts | February 04, 2020

Deconstructing Identity as a Cyberattack Vector

Webcasts | December 10, 2019

6 mitos del PAM - Separemos los hechos de la ficción...

Webcasts | December 04, 2019

Privileged Access Management Solutions

Products

Resources

Privileged Access Management (PAM) Checklist

On the Blog

News