Solved

generic AD accounts and security best practices.

Posted on 2016-08-08
2
25 Views
Last Modified: 2016-08-27
We have an internal application only accessible via our private network that from time to time the local police authority require access to for safeguarding issues/investigations etc, which they are entitled to access. Due to the size of the police force, and number of officers who could request access - setting them up with an AD account each isn't really practical. As well the requests for access can be urgent and the SLA with our helpdesk requires 48 hours minimum for a new AD account, so that isn't always going to be practical either. The workaround was to create a generic AD account for them and disable it when not in use.

From a security/auditing perspective, our plan was to keep a separate audit log of when the generic AD account logged in, which police officer used it,  times of login/logout, records they requested access to. Can you think of anything else from an AD perspective we would need to do to ensure the login is restricted to only allow them to access this application? Or anything else you would add in the audit log's/process? Obviously the AD account would need to be very limited, anything in particular that you'd suggest around the account itself from a security best practice?
0
Comment
Question by:pma111
  • 2
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41747289
In fact, the audit trail should be no different from the user account mgmt audit trails. Specifically for your use case, beside those audit trail suggested to be enabled (reference CIS benchmark for hardening Windows system), you can add granular audit under "Advanced Audit Policy Configuration" and others - see this reference on the list of setting # http://searchitchannel.techtarget.com/tip/Windows-7-audit-policies-user-privileges-configuration
Some salient ones for considerations include
...for Policy Change
Audit MPSSVC Rule-Level Policy Change: The Microsoft Protection Service setting determines whether the OS generates audit events when changes are applied to policy rules for this service (used by the Windows Firewall). Activities tracked include policies active when the Windows Firewall service starts, changes to Windows Firewall rules, exception list, and settings, rules ignored or not applied and changes to Windows Firewall Group Policy settings.

..for Privilege Use
Audit Sensitive Privilege Use: Determines whether the OS generates audit events when sensitive privileges are used. Some examples include: Act as part of the OS, Back up files and directories, Create a token object and Debug programs

..for System
Audit System Integrity: Determines whether the OS generates audit events when the integrity of the security subsystem may have been violated, including the following events: audited events lost owing to a failure of the auditing system; a process uses an invalid local procedure call to impersonate a client, reply to a client address space, or read from or write to a client address space, an RPC integrity violation is detected, a code violation with an invalid hash for an executable file is detected or when cryptographic tasks are performed.

...for Global object access
File System: Enables administrators to configure a global SACL on the file system for an entire computer. If both a file and folder SACL are defined, the effective SACL may be determined by combining the file or folder SACL and the global SACL, where an audit event is generated if an activity matches any of the file, folder or global SACL.
Registry: Enabled administrators to configure a global SACL on the registry for a computer, where selecting the Configure security checkbox lets admins add a user or a group to the global SACL. Must be used in tandem with the Registry security policy setting under object access.
You should also looked for any other remote access for the host machine authorised for the 3rd party entities - it should not differs. Some may even have "keylogger" installed in those host machine to access remotely.

For hoslistic oversigh of privileged account or 3rd party account access & right granted over time or during adhoc request period, it is suggested having a centralised oversight system such as "jumphost" to enforce such privileged identity management. For example, in this use case, the Policy entities will be given account and provision for on demand purposes to access to the application system. Specifically, there are already such PIMS, for e.g. Suite include On-Demand Privileges Manager that records detailed command level activity performed so that you can better track those session activity for security auditing and forensic purposes, if required. Check out the latest report by the research company  
Beyond multifactor
authentication (MFA) and security assertion markup language (SAML) compatibility, a PIM solution
needs be able to do four things: 1) provide its own, web-based channel for access; 2) provide its
own, tamperproof password safe (credential storage); 3) spawn, monitor, and intercept privileged
Windows and Linux sessions (privileged session monitoring, or PSM); and 4) control privilege
escalation on the endpoint (such as sudo replacement and revoking administrative rights on
Windows from end users)
(pdf)
http://softprom.com/sites/default/files/materials/ar-forrester-pim-wave-07-08-16-en.pdf
0
 
LVL 61

Expert Comment

by:btan
ID: 41772818
The proposed audit coverage is included as part of oversight and also importantly the use of privileged identity mgmt to centrally oversee 3rd party access administration is good security practice to deter and detect early sign of abuse by administrator.
0

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now