One of the most dangerous threats to IT security is abuse of privileged access. Preventing the exploitation of administrator privileges first requires knowledge of who has administrator access whether local or domain based. This is not only good practice, but also driven by many security standards.
One such security compliance standard is the Payment Card Industry Data Security Standard (PCI DSS) which outlines many security requirements to protect consumers’ credit card data. Requirement 8.5.1 states: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects, which clearly identifies the need to monitor and maintain control of the administrators group.
The Center for Internet Security (CIS) releases security configuration guidelines for each Operating System. For Windows 7 section 1.8 defines User Rights and who should have access to certain system capabilities. The key to the user rights defined by CIS is which users are in the administrators group. Similar to CIS security configuration guidelines, the United States Government Configuration Baseline (USGCB) also defines several security rules around user rights.
Domain administrator accounts in a Windows Active Directory environment are often the main focus for account auditing. This can be a good starting point as Domain Admins have access to GPO policies, domain utilities, and many assets as they are often a member of local administrator groups. One of the challenges in monitoring Domain groups is quickly and regularly identifying who has access due to nested groups and frequent account changes. Nested groups can be problematic as one must identify accounts that have access via a group that is granted access via membership to another Active Directory group. Additions and deletions of accounts can occur frequently and be missed through manual audits.
Unfortunately, administrator access is too often focused on Active Directory resources and fails to look at individual systems administrator access. This is understandable as local systems can require a lot of time to audit without a scalable and automated tool. Too often, systems share the same local administrator account name and passwords making it easy for someone to access any system if they know the credentials. This too can happen through malicious intrusions if local accounts passwords are cracked and those credentials used to access other systems. Finally, there is the challenge of administrators or end users creating additional local administrator accounts exposing those systems to unapproved access.
If regular administrator account discovery does not happen, there is no way of knowing if users have added either themselves or others to the administrators group. Not knowing the current status of the administrator access can lead to failed security audits and risk privilege exploitation.
Arellia Local Security Solution enables IT administrators to monitor local users/groups and domain users/groups as well as domain group auditing. Arellia can also assist IT administrators in maintaining compliance by continually enforcing group membership. By using administrator group discovery, membership enforcement, and randomizing the local administrator password organizations are compliant to security standards and secure against security threats.