Re: Access control advice requested: the sysadmin has become the IT manager
There are a number of controls/capabilities that could be put in place depending on your environment/budget and risk profile. Some that come to mind for additional investigation based on your circumstances:
Privileged Access Logging
Privileged Session Recording
Brokered Access/Secure Channel
Strong Authentication (MFA)
Just in Time Access
Privileged Access Management. (Identify/Detect/Prevent) (Vendors Cyberark/Osirium and others)
It is not uncommon in even large organisations to have one or more individuals that have keys to the kingdom.
There is always a case where someone has to get into a system for normal operational maintenance and troubleshooting.(Possibly in normal cases through a directory account e.g. AD/LDAP
There is also the case where someone needs higher privilege on a system (root/local admin/domain admin )
- However the introduction of a PIM/PAM solution can help in the following ways
-- Often can host the root /local / breakglass accounts to get into systems with access audited. Admins should not be using these credentials on a daily basis and should lower level accounts for standard operations.
-- Can provide session brokering. When Admin needs to access system as priv user, they log into through the PAM solution (using familiar tools SSH/RDP etc). The PAM solution maintains the privileged account (username and password) and injects this into the session. IT Admin on a normal day does not need this. PAM solution is the only one that knows the password (sets it something of the max that the device supports and rotates on a frequent basis automatically)
-- Can provide session and keystroke auditing. When admin logs into SSH / RDP and types reboot / format this is recorded. (Time, Source Workstation, Session length, Commands typed , screen recording)
-- Account discovery: When a user leverages an existing priv account to create a sanctioned/unsanctioned account this can be discovered and alerted.
Audit/Access Logging (Detect/Respond/Recover)
- For all security controls whether local OS logs and logs from other systems like PAM solution these should at a min be centrally stored and protected from destruction.
- If you have an internal security operations capability to monitor through a SIEM/ SOAR then all the better.
- Identify systems not being accessed through the PAM solution (While possible a valid use case should be investigated)
As some of the other replies have mentioned best practise around giving people rights based on least privilege should be adhered to. I have known many IT Managers that have zero access to systems at they are not operational staff (your situation is obviously different) , but if possible reduce access but have processes in place that access can be acquired without interfering with business operations/restoring business operations.
Sometimes people (that are technical) just want to know that if they have to get behind the keyboard to solve something that there is a prescribed way to do it when required.