Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Rules are made to be broken - IT security policy and controls

October 20, 2017

  • Blog
  • Archive

SMEs often manage without one, and larger companies have it in their staff handbooks, but an IT security policy without the controls to enforce it is of little value, and only useful for assigning blame when something inevitably goes awry.

IT departments often bring users’ attention to security policy by running training courses on induction day and at regular intervals throughout the year. And while there’s some value in security training, it’s acknowledged by many professionals to have limited affect. There will always be users who put their own interests before company policy, or simply fall prey to social engineering. Security training should be placed in the same camp as antivirus, something that is beneficial but ultimately has limited impact in securing endpoints. It may be more productive to place greater emphasis on security training for IT personnel, who frequently fail to understand the basics of the Windows security model, in turn leading to security failures.

The SANS institute has recently updated its 20 Critical Controls document and is a useful starting point for any business that’s looking to reduce risk by deploying controls to enforce policy, or can be used to improve or shape an IT policy if you don’t already have one in place. While SANS lists the controls in no particular order of importance, Control 8: Controlled Use of Administrative Privileges, stands out as one that can bring many quick wins to an organization. SANS states ‘The misuse of administrator privileges is a primary method for attackers to spread inside a target enterprise’ and continues by highlighting the basic principle of least privilege in that administrator accounts should not be used for everyday work activities, such as browsing the web and reading emails. Control 8 can be used to limit the damage caused by users who install malware on endpoints and reduce the risk of compromise from unpatched software vulnerabilities.

SANS also refers to Configuration/Hygiene, where IT staff should use a non-administrative account for support tasks on endpoints and only elevate to privileges as required using the Windows Run as command. And importantly, this should also apply to outside service providers that have access to internal endpoints for support purposes. Control 8 can also be implemented to partially achieve successful deployment of some of the remaining critical controls listed by SANS, including:

Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Control 7: Application Software Security

Control 12: Malware Defenses

Control 15: Data Loss Prevention

Remember when looking through the list of 20 Critical Controls, those that address the root causes of security problems, such as malware getting installed on endpoints, will bring greater initial benefits than soft controls, such as Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps. Once you’ve identified the risks that are most likely to affect your company and forged suitable policies, don’t rely on user awareness training and antivirus software to ensure policy is adhered to. Employ suitable technologies, such as Windows 7 AppLocker; or 3rd-party utilities, like Avecto , to control the use of administrative privileges and for application allow listing.

Russell Smith

IT Consultant & Security MVP

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.

Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.