Solved

generic AD accounts and security best practices.

Posted on 2016-08-08
2
70 Views
Last Modified: 2016-08-27
We have an internal application only accessible via our private network that from time to time the local police authority require access to for safeguarding issues/investigations etc, which they are entitled to access. Due to the size of the police force, and number of officers who could request access - setting them up with an AD account each isn't really practical. As well the requests for access can be urgent and the SLA with our helpdesk requires 48 hours minimum for a new AD account, so that isn't always going to be practical either. The workaround was to create a generic AD account for them and disable it when not in use.

From a security/auditing perspective, our plan was to keep a separate audit log of when the generic AD account logged in, which police officer used it,  times of login/logout, records they requested access to. Can you think of anything else from an AD perspective we would need to do to ensure the login is restricted to only allow them to access this application? Or anything else you would add in the audit log's/process? Obviously the AD account would need to be very limited, anything in particular that you'd suggest around the account itself from a security best practice?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41747289
In fact, the audit trail should be no different from the user account mgmt audit trails. Specifically for your use case, beside those audit trail suggested to be enabled (reference CIS benchmark for hardening Windows system), you can add granular audit under "Advanced Audit Policy Configuration" and others - see this reference on the list of setting # http://searchitchannel.techtarget.com/tip/Windows-7-audit-policies-user-privileges-configuration
Some salient ones for considerations include
...for Policy Change
Audit MPSSVC Rule-Level Policy Change: The Microsoft Protection Service setting determines whether the OS generates audit events when changes are applied to policy rules for this service (used by the Windows Firewall). Activities tracked include policies active when the Windows Firewall service starts, changes to Windows Firewall rules, exception list, and settings, rules ignored or not applied and changes to Windows Firewall Group Policy settings.

..for Privilege Use
Audit Sensitive Privilege Use: Determines whether the OS generates audit events when sensitive privileges are used. Some examples include: Act as part of the OS, Back up files and directories, Create a token object and Debug programs

..for System
Audit System Integrity: Determines whether the OS generates audit events when the integrity of the security subsystem may have been violated, including the following events: audited events lost owing to a failure of the auditing system; a process uses an invalid local procedure call to impersonate a client, reply to a client address space, or read from or write to a client address space, an RPC integrity violation is detected, a code violation with an invalid hash for an executable file is detected or when cryptographic tasks are performed.

...for Global object access
File System: Enables administrators to configure a global SACL on the file system for an entire computer. If both a file and folder SACL are defined, the effective SACL may be determined by combining the file or folder SACL and the global SACL, where an audit event is generated if an activity matches any of the file, folder or global SACL.
Registry: Enabled administrators to configure a global SACL on the registry for a computer, where selecting the Configure security checkbox lets admins add a user or a group to the global SACL. Must be used in tandem with the Registry security policy setting under object access.
You should also looked for any other remote access for the host machine authorised for the 3rd party entities - it should not differs. Some may even have "keylogger" installed in those host machine to access remotely.

For hoslistic oversigh of privileged account or 3rd party account access & right granted over time or during adhoc request period, it is suggested having a centralised oversight system such as "jumphost" to enforce such privileged identity management. For example, in this use case, the Policy entities will be given account and provision for on demand purposes to access to the application system. Specifically, there are already such PIMS, for e.g. Suite include On-Demand Privileges Manager that records detailed command level activity performed so that you can better track those session activity for security auditing and forensic purposes, if required. Check out the latest report by the research company  
Beyond multifactor
authentication (MFA) and security assertion markup language (SAML) compatibility, a PIM solution
needs be able to do four things: 1) provide its own, web-based channel for access; 2) provide its
own, tamperproof password safe (credential storage); 3) spawn, monitor, and intercept privileged
Windows and Linux sessions (privileged session monitoring, or PSM); and 4) control privilege
escalation on the endpoint (such as sudo replacement and revoking administrative rights on
Windows from end users)
(pdf)
http://softprom.com/sites/default/files/materials/ar-forrester-pim-wave-07-08-16-en.pdf
0
 
LVL 64

Expert Comment

by:btan
ID: 41772818
The proposed audit coverage is included as part of oversight and also importantly the use of privileged identity mgmt to centrally oversee 3rd party access administration is good security practice to deter and detect early sign of abuse by administrator.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question