topic Re: Best Practices for privileged account on laptops in Tech Talk

Best Practices for privileged account on laptops

Ramon — Fri, 23 Mar 2018 12:27:27 GMT

At our company we've implemented a new security policy for our engineers. The engineers use their laptop as a Swiss army knife, the develop code install software and read their company mail on the device.

In the days where the domain account of the engineer was also a local admin, our engineers where happy and content with the policy. Due to mal- and ransomware we started a proof of concept where we changed to a local named admin account to do the programming and installing, and a domain account to access e-mail, ERPand office via Citrix.

In my opinion this is an acceptable solution, this is our normal 'modus operandi' at the IT department, if we need to install something we use the 'runs as...' command.

But you guessed it: Our engineers are not happy with the new policy. So what do you recommend? Have you encountered the same issues and how did you resolve those?

Re: Best Practices for privileged account on laptops

Shannon — Fri, 23 Mar 2018 15:05:37 GMT

Restricting rights to a local administrative account may reduce the risk to the system due to compromise at the domain level, but it definitely has its drawbacks, including: -

Decentralized control and management
Management of multiple local accounts

Assuming the benefits aren't justified, wouldn't it make more sense to implement / enforce adequate controls in an existing system & its constituents --- rather than change the architecture?

Re: Best Practices for privileged account on laptops

Early_Adopter — Sat, 24 Mar 2018 10:18:08 GMT

Turning this around.

You might consider turning that around and having your Engineers remote onto an environment that was a secured sandbox with some systems types had permissions on for developing their code.

Thn have them use their laptop effectively as an appliance that they use without permissions to access corporate email, do their admin etc and if essential scour the internet for lolcats...

It would probably make them even less happy, but would allow you to secure a lot of aspects of the dev systems more thoroughly, bubble them up in a few layers, monitor well, and you could always sweeten the deal by providing them some powerful dev platforms that are quick to compile etc.

there are a host of solutions and work rounds such as PAM, 2FA, jump boxen, isolation and hardening (Developers really like tthis last one...) that you can employ as well as restricting accounts.

To riff on @Shannon It does seem to me that by using a local account on a laptop you lose a lot of context on user behaviour and if it’s compromised you don’t have as much visibility into its authentication centrally so by running it like this you might give an attacker a system they can persist on Long tiers while studying and waiting to pivot to some new credentials.

Re: Best Practices for privileged account on laptops

HackneyB78 — Sun, 25 Mar 2018 13:41:27 GMT

I've seen your approach used and I consider it a good compromise. Non privileged daily use account and a separate local admin (or admin of a set of systems) for software installs and configuration changes.

Many benefits .. entering a new password is quick, admin account is never left logged in. Email and primary tools on one system which helps productivity. PCI DSS requires this type of setup and this fact could be motivation for end users.

Offering users separate terminal servers / jump servers works too but then you run into having to provide the same custom hardware they would enjoy on their PC.

Re: Best Practices for privileged account on laptops

mgoblue93 — Sun, 25 Mar 2018 17:51:14 GMT

As a software developer, and someone who has led teams of software developers, I wouldn't be happy about this either. Ha!

My laptop is indeed my swiss army knife.

But I do have to say, in my experience, I haven't had problems with staff and malware because they had admin rights. Generally, they're doing legit work and visiting legit sites on their laptops.

1. Are you sure this is a technical problem? If someone is downloading crap on their work resources, I would say that's a performance management problem -- they're violating their EULA and/or SLA.

2. A good technical solution is to virtualize the development environment. Have a development environment template which the developer deploys based upon their needs. They have root access to only the guest (which makes them happy) but not the host (which makes YOU happy). If the guest ever gets hosed, you just delete it and the developer redeploys from template.

Re: Best Practices for privileged account on laptops

Early_Adopter — Sun, 25 Mar 2018 18:20:08 GMT

@mgoblue93

Yeah it’s poor to lose capability - not nice... but you can better control what people can do from virtuliaed/ constrained HW. On the compliance it think quite often the dev will be targeted from a site they legitimately use - waterholing/ phishing etc. Social engineering is much easier if they are an admin.

Re: Best Practices for privileged account on laptops

Deyan — Mon, 26 Mar 2018 10:15:07 GMT

I believe that here again you need to compare security vs performance and comfort of staff.

In my opinion which is mostly leaning towards security - I would not allow local admin accounts on laptops that are known and usable by the personnel. Network accounts should be used for both administrative and user functions - separated and provided to the relevant employees based on their role.

Assuming a company has policy towards acceptable IT use, internet/mail usage, desktop/laptop computing - I would say that the admin privileges on the laptops for the normal users (developers or whoever) could only introduce risks for them to breach any of the policies.

I am not sure why a developer is "happy" when they have privileges to modify the registry keys under Windows for example... but I definitely see risk in having privileged beyond your job requirements.

My opinion is that company's policies should be enforced to the most possible extend via the technology and if for example - compliance to the acceptable use policy requires that admin rights are removed from employees - then do it - explain to them that even if they had admin rights - the would be breaching company policy if they perform prohibited functions. Sorry if this sounds unrealistic to you but I believe that's how it should work...

Re: Best Practices for privileged account on laptops

Shannon — Mon, 26 Mar 2018 11:14:42 GMT

I agree with @Deyan, about an organization's policies being the deciding factor --- If what you're doing isn't an exception, it's a violation...

@mgoblue93 virtualization would be a good solution so long as the host doesn't have processor vulnerabilities like Spectre & Meltdown, which allow compromise of a host from its virtual systems, else a lot of VMs might be be impacted if the host itself gets affected...

Re: Best Practices for privileged account on laptops

Ramon — Mon, 26 Mar 2018 13:59:03 GMT

See if understand both comments.

Don't take technical measures but translate those measures into a Policy and steer on behavior.

Do not hide the cookie jar, but tell them it's not allowed to eat cookies, and leave the cookie jar on the shelf. Correct?

Re: Best Practices for privileged account on laptops

Deyan — Mon, 26 Mar 2018 14:09:16 GMT

Hey Ramon,

Actually it is - have your policies and use the technology you have to enforce them. If you do not allow eating of cookies - hide them.... if that makes sense...

Looking at your comment - I'd say that the positioning is wrong.

1st is the law - "dont eat cookies" then it the distribution of controls to ensure that wont happen - hide the cookies, lock the jar, put a guard to stay next to them..... whatever

in this case - the developers have the cookies right in front of them - if the company does not allow eating them - it should hide them.... not leave the cookies right in front of them and rely only on the policy.... - hope that makes sense.... Security Technology is only there to help organizations enforce their policies (written or not)

Re: Best Practices for privileged account on laptops

Shannon — Mon, 26 Mar 2018 14:25:32 GMT

Let me correct / clarify both of your statements @Ramon

'Don't take technical measures but translate those measures into a Policy and steer on behavior.'

Correction: Don't take extreme technical measures if costs outweigh benefits, but ensure that your control measures comply with the organisation's policy, and adequately enforce the policy.

'Do not hide the cookie jar, but tell them it's not allowed to eat cookies, and leave the cookie jar on the shelf.'

Correction: Continue to eat cookies, but also ensure the following: -

The cookie jar is kept tightly closed
The cookie jar is kept in a locked cabinet
There's a curtain covering the cabinet
There's a sign on the cookie jar warning people not to take the cookies
The cookie jar is regularly checked to make sure the cookies aren't touched
There's a pet dog that growls when anyone goes for the cookies

As controls, there are preventive controls (1, 2 & 3), deterrent controls (4) and detective controls (5 & 6)

Re: Best Practices for privileged account on laptops

mgoblue93 — Mon, 26 Mar 2018 14:33:44 GMT

> On the compliance it think quite often the dev

> will be targeted from a site they legitimately

> use - waterholing/ phishing etc. Social

> engineering is much easier if they

> are an admin

I hear this kind of reply a lot.

I respectfully shake my head. That's a process or management-type response.

A dev is not targeted any more or any less than any other role in the organization. And the notion of being an admin is a straw man argument. Why? Two words: Microsoft Outlook. Anyone in the organization can open a link, other than the devs, and potentially do just as much damage as the devs.

Before reading on though, please note, I AM NOT advocating for a lack of controls or a development environment that is a free-for-all.

I disagree because people are losing sight of and the understanding of the difference between supported and supporting roles.

1. A business is in business to make money.

2. Q. Does the software product or does the system administration bring in the money? A. Of course the software development end product is the revenue source.

Therefore, software developers are the supported role and system administration is supporting of the software developers. NOT the other way around.

Now, if a software developer is loading malware on the system, they should be taken out back and flogged. Especially doing something like that in this day and age.

But that's a personnel control and not a technical one.

For the technical, that's why I provided my idea. I'm sure there are many other ways to help the OP out. But developers need to have the freedom to download and install stuff for prototyping and testing purposes. Submitting baseline change requests to SAs all the time is not efficient nor a practical way of doing business.

The SAs need to have some control over the enterprise so they can manage and protect it. That's why isolating an environment is a win-win for everyone.

Re: Best Practices for privileged account on laptops

mgoblue93 — Mon, 26 Mar 2018 14:38:49 GMT

@Shannon

> virtualization would be a good solution so long as the host

> doesn't have processor vulnerabilities like Spectre &

> Meltdown, which allow compromise

That's a separate issue unrelated to the original post

The OP asked for strategies on how to keep the developers from compromising his/her network while still providing the developers the capability they say they need.

Your reply outlines a vulnerability which is taken care of by patching. Not the differences between development and administration. I'm sure the OP keeps his/her systems patched.

Re: Best Practices for privileged account on laptops

Shannon — Mon, 26 Mar 2018 14:53:37 GMT

Actually, there is a relationship. The whole reason was to reduce the risks of systems impacted due to a domain account getting compromised by malware, right?

Malware can be engineered to exploit these vulnerabilities, and impact a system. Both Spectre & Meltdown are hardware vulnerabilities, and so can't be properly patched at the system level.

No doubt isolation is the best bet, but you may not be able to achieve this only through virtualization (unless the hardware isn't vulnerable) in which case network isolation is also an option.

Re: Best Practices for privileged account on laptops

DanPeterson — Tue, 24 Jul 2018 14:30:23 GMT

Hi Ramon,

You're even more generous than I would be! 😄

The code development should be done in a separate test and development network that's segregated from your production network. The engineers and developers can RDP to the dev network and do whatever they want there to their heart's content.

In prod network, all the techies (the engineers, developers, even system admins) should use a standard account with no special privileges, including no ability to install software other than what your company has already whitelisted, for all their daily activity like emails, writing documents, so forth. Those with a need for elevated privileges should have a separate privileged account with privileges appropriate for their responsibilities. Highly privileged accounts (domain admins, root) should be secured in some way, such as a privileged account management system like CyberArk or Balabit, or use of split passwords for 4-eye checks.

Any engineers who object should attend security awareness training.

My recommendation is to stand tough - and if you need to, get senior management to stand tough along side you - and tell the engineers the wild west days are over.

Re: Best Practices for privileged account on laptops

Flyslinger2 — Wed, 25 Jul 2018 17:14:52 GMT

@DanPeterson nailed it. In addition all auth should be multifactor.

All production admin accounts should be virtual and and those virtual sessions should be blown away DAILY.

Dev teams have no business in prod.

Laptops should be eliminated as they are risks. Every developer should have a dumb terminal.

Re: Best Practices for privileged account on laptops

vt100 — Wed, 25 Jul 2018 17:20:33 GMT

This webinar from Beyond Trust specific to Privileged Accounts for Developers may be of interest to you. They are generally pretty good at starting those with problem analysis, general solutions and only then moving to the promotion of their own products addressing the problem:

Re: Best Practices for privileged account on laptops

metasploit — Wed, 28 Nov 2018 01:09:36 GMT

Hi Ramon,

If I understand correct,you want to both least privilege and productivity on employee laptops. CyberArk EPM can easily fit your needs.

Here comes short brief for EPM, if you want to get more details, please let me know.

CyberArk Endpoint Privilege Manager helps remove the barriers to enforcing least privilege and allows
organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or
encrypted and held for ransom. A combination of privilege management, application control and targeted
credential theft protection stops and contains damaging attacks at the endpoint of entry. Unknown
applications run in a restricted mode to contain threats and credential theft protection blocks credential
theft attempts. These critical protection technologies are deployed as a single agent to strengthen and
harden all desktops, laptops and servers.
CyberArk Endpoint Privilege Manager also enables security teams to enforce granular least privilege
policies for IT administrators, helping organizations effectively segregate duties on Windows servers.
Complementing these privilege controls, the solution also delivers application controls designed to manage
and control which applications are permitted to run on endpoints and servers

Thanks,

Sam Lu, CISSP, CISM, CISA, CCIE#9892

Email: sam.lu@cyberark.com

Re: Best Practices for privileged account on laptops

Ramon — Wed, 28 Nov 2018 06:52:29 GMT

Hi Sam, Thanks for your answer, I've downloaded the spec sheet just now. Will definitely look into this.

Ramon

Re: Best Practices for privileged account on laptops

metasploit — Wed, 28 Nov 2018 07:10:18 GMT

Good, drop me email if you need more help.