Solved

Administration Elevation (best practice and why elevate)

Posted on 2016-08-30
4
26 Views
Last Modified: 2016-09-18
Can anyone point me towards the best practice in elevating permissions for IT engineers. I am sure there is documentation out there on this and would appreciate pointers.

1) why not provide engineer accounts with Admin rights (or not)
2) why have secondary accounts with additional permissions

By using elevated permissions does this have added security in the event a laptop is lost (they then can not reverse engineer the administratrion logon details)?

Many thanks
0
Comment
Question by:ncomper
4 Comments
 
LVL 87

Accepted Solution

by:
rindi earned 200 total points (awarded by participants)
ID: 41776106
It should be pretty straight forward and clear. Never use a PC logged on with an account that has admin rights. If you do that the chances are higher that malicious code can be executed and the user doesn't know. Besides that, if the user forgets to log off when he leaves the PC for a short period, and the screensaver hasn't yet come on, someone else can easily use that admin account to harm the system. With UAC you can easily use the other account that has Admin rights to do things that need elevated rights.

If the laptop is stolen the account type won't help to keep the crooks from your data. For that you need other things. For example use a BIOS password so that you can only start the laptop if the correct password is used then. Those passwords can't be reset without knowing them, or without the help of the laptop manufacturer, and then they require proof of ownership. This makes the PC useless and unsellable to the crooks.

Also set the HD password via the BIOS. That makes the disk useless to anyone who doesn't know that password. These passwords can't be reset even if you have proof of ownership or via the manufacturers. You need to know the password to reset it.

Use disk encryption. That way, even if the BIOS and HD passwords get reset because the thief either knows it, or via try and error, he won't be able to read the data on the disk.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points (awarded by participants)
ID: 41776213
It is about adopting cyber hygiene in this case is for adhering to least privileged principle which in short only give what is required for the role to function effectively and with optimal efficiency, at best. Indeed there is document for limiting the privileges such as
Unfortunately, the path of least resistance in many environments has proven to be the overuse of accounts with broad and deep privilege. Broad privileges are rights and permissions that allow an account to perform specific activities across a large cross-section of the environment- for example, Help Desk staff may be granted permissions that allow them to reset the passwords on many user accounts.

Deep privileges are powerful privileges that are applied to a narrow segment of the population, such giving an engineer Administrator rights on a server so that they can perform repairs. Neither broad privilege nor deep privilege is necessarily dangerous, but when many accounts in the domain are permanently granted broad and deep privilege, if only one of the accounts is compromised, it can quickly be used to reconfigure the environment to the attacker's purposes or even to destroy large segments of the infrastructure.
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

Granting of excessive privilege isn't only found in Active Directory in compromised environments. When an organization has developed the habit of granting more privilege than is required, it is typically found throughout the infrastructure. This also include the use of "Enterprise Admin" group, by default, members of the built-in Administrators group in each domain in the forest
When EA access is required, the users whose accounts require EA rights and permissions should be temporarily placed into the Enterprise Admins group. Although users are using the highly privileged accounts, their activities should be audited and preferably performed with one user performing the changes and another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration. When the activities have been completed, the accounts should be removed from the EA group. This can be achieved via manual procedures and documented processes, third-party privileged identity/access management (PIM/PAM) software, or a combination of both
We should really review the role and addition needs for the Engineer role define, such as identify & review (in reference to best practice):

1.Which tasks members of the role perform on a day-to-day basis and which tasks are less frequently performed.
2.On which systems and in which applications members of a role should be granted rights and permissions.
3.Which users should be granted membership in a role.
4.How management of role memberships will be performed.

This is why also the needs for the management and oversight of privileged users (if Engineer is admin or given more rights as required) to opt for safeguards be in place first. It may be just ad-hoc purpose instead the perm "super admin"

•Credential "vaults," where passwords for privileged accounts are "checked out" and assigned an initial password, then "checked in" when activities have been completed, at which time passwords are again reset on the accounts.
•Time-bound restrictions on the use of privileged credentials
•One-time-use credentials
•Workflow-generated granting of privilege with monitoring and reporting of activities performed and automatic removal of privilege when activities are completed or allotted time has expired
•Replacement of hard-coded credentials such as user names and passwords in scripts with application programming interfaces (APIs) that allow credentials to be retrieved from vaults as needed
•Automatic management of service account credentials
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 100 total points (awarded by participants)
ID: 41776223
1) why not provide engineer accounts with Admin rights (or not)

After 15 years of working with this, it is never correct to make users into Administrators.

Pick one in the group to install software and make Windows Updates automatic.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now