Server Privilege Management Best Practices – Avoiding “Game Over”
October 12th, 2016
Does combatting cyber threats sometimes feel like a game of Donkey Kong?* No matter what you seem to throw at would-be infiltrators, they just keep bounding ever closer, undeterred. Until finally, they bust in somewhere and—BAM—GAME OVER.
True, hackers and malicious insiders typically aren’t storming through the front door, waving their arms and throwing barrels around. They sneakily pry their way into your network – maybe through a successful spear phishing attack – then they creep around undetected for months using known vulnerabilities and excessive admin or root privileges causing untold damage.
We’ve heard this script repeated over and over again. From this experience we know that the only way to prevent the lateral movement of attackers in your network is a multi-layered approach that includes:
- Eliminating unneeded accounts
- Keeping privileged credentials from floating around to begin with
- Limiting the commands that users can perform once they have access to a system
- Watching the activities of users when they have access to systems
For a complete list of best practices for securing the server, check out the white paper, Avoiding “Game Over” by Securing the Server via Privilege Management, by security expert and SANS Instructor, Dr. Eric Cole.
Putting the Principles Into Practice – Common Use Cases
Let’s take a look at how to put all this into practice – especially in a Unix & Linux server environment.
When users and admins need access to a system, a user account needs to be created on each host in order to provide system access for the user. Rights for these user accounts are often bloated and clean-up of accounts, along with their associated rights, often goes unchecked when an employee changes roles or leaves an organization. (You can probably see where there are opportunities to exploit this.)
So, reducing the number of accounts being created, controlling which servers those consolidated accounts can logon to, and what rights a user has after they have been authenticated is key. This way, user accounts can be created in one location, say, AD, with a user’s AD group membership controlling what servers that user can access and a centralized policy to tightly control and audit that user’s activities during each authenticated session.
Fine-Grained Control Over Stored Credentials
Traditional enterprise password management solutions provide limited privilege delegation capabilities. The controlled accounts often have excess privileges which are more susceptible to misuse and creates a larger attack surface should those accounts be compromised. Regardless whether an account password has been checked out or the session proxied via SSH to a Unix/Linux host, organizations need to closely control what a user can and cannot do once logged on is critical.
A centralized policy can be used to provide tight controls and additional auditing capabilities for accounts checked out from a password storage solution. This allows for the credential with the least amount of rights possible to be stored in the store, but allows for the added flexibility of one off, custom and edge case type commands to be run at any privilege level.
Advanced Control and Audit of Commands Down to the System Level
Auditing and controlling activity inside scripts and third-party applications in Unix and Linux systems has been difficult for many companies to achieve, especially when it is easy to “cheat” the system by pointing shortcuts to unapproved applications. A solution is needed to enhance system level control and audit capabilities over any application – regardless of how the application is initiated. This approach would help organizations control actual commands being processed and the actions at the system level removing the ability of command spoofing or altered key sequencing.
Session Monitoring, Logging and Reporting
Keystroke logging capabilities should include the ability to capture all session I/O. Session recording and real-time replay capability enhances this visibility with the sequence of events that reveals actions and outcomes more fully. This not only supports security and compliance requirements, but also aids in troubleshooting root cause issues when human actions impact business-critical performance, availability, or resource integrity.
This four-point plan not only has the potential to reduce your attack surface (and thereby risk), but help you also more efficiently meet the compliance requirements of segregation of duties and more required by a never-ending stream of regulations. The core benefits of such an approach include automation, visibility and proactive response to both traditional and advanced threats.
For more best practices for securing the server, check out the white paper, Avoiding “Game Over” by Securing the Server via Privilege Management, by security expert and SANS Instructor, Dr. Eric Cole.