cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
d46j48fx
Contributor I

Access control advice requested: the sysadmin has become the IT manager

Hi colleagues!

 

A technical team lead for an understaffed IT team with extensive organization and technical knowledge has been promoted to manager of their team. This individual literally has "the keys to the kingdom".

 

I would appreciate your advice/direction regarding the individual's system access privileges.

I am thinking I should apply a "need to know" perspective to this and recommend a complete revocation of admin/god-level system access, or reduce access to what would be necessary to function in their new role as manager of the team.

 

I would appreciate your advice on this matter as soon as possible, preferably before July 1st (which is when the individual will be assuming their new role.)

 

Thanks in advance for your input!

 

Derek

 

 

11 Replies
d46j48fx
Contributor I

Thanks for your input and agreed on all suggestions! 

We are a Windows shop and we do use the two-account control (regular and audited admin).

 

mduplessis
Viewer III

Hi,

 

There are a number of controls/capabilities that could be put in place depending on your environment/budget and risk profile. Some that come to mind for additional investigation based on your circumstances:

  • Privileged Access Logging
  • Privileged Session Recording
  • Brokered Access/Secure Channel
  • Password Vaulting
  • Strong Authentication (MFA)
  • Just in Time Access
  • Account Checkout

 

Privileged Access Management. (Identify/Detect/Prevent) (Vendors Cyberark/Osirium and others)

  • It is not uncommon in even large organisations to have one or more individuals that have keys to the kingdom.
  • There is always a case where someone has to get into a system for normal operational maintenance and troubleshooting.(Possibly in normal cases through a directory account e.g. AD/LDAP
  • There is also the case where someone needs higher privilege on a system (root/local admin/domain admin )

- However the introduction of a PIM/PAM solution can help in the following ways

-- Often can host the root /local / breakglass accounts to get into systems with access audited. Admins should not be using these credentials on a daily basis and should lower level accounts for standard operations.

-- Can provide session brokering. When Admin needs to access system as priv user, they log into through the PAM solution (using familiar tools SSH/RDP etc). The PAM solution maintains the privileged account (username and password) and injects this into the session. IT Admin on a normal day does not need this. PAM solution is the only one that knows the password (sets it something of the max that the device supports and rotates on a frequent basis automatically)

-- Can provide session  and keystroke auditing. When admin logs into SSH / RDP and types reboot / format this is recorded. (Time, Source Workstation, Session length, Commands typed , screen recording)

-- Account discovery: When a user leverages an existing priv account to create a sanctioned/unsanctioned account this can be discovered and alerted.

 

Audit/Access Logging (Detect/Respond/Recover)

- For all security controls whether local OS logs and logs from other systems like PAM solution these should at a min be centrally stored and protected from destruction.

- If you have an internal security operations capability to monitor through a SIEM/ SOAR then all the better.

- Identify systems not being accessed through the PAM solution (While possible a valid use case should be investigated)

 

As some of the other replies have mentioned best practise around giving people rights based on least privilege should be adhered to. I have known many IT Managers that have zero access to systems at they are not operational staff (your situation is obviously different) , but if possible reduce access but have processes in place that access can be acquired without interfering with business operations/restoring business operations.

 

Sometimes people (that are technical) just want to know that if they have to get behind the keyboard to solve something that there is a prescribed way to do it when required.

 

M