cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer III

Re: Access control advice requested: the sysadmin has become the IT manager

Thanks for your input and agreed on all suggestions! 

We are a Windows shop and we do use the two-account control (regular and audited admin).

 

Viewer II

Re: Access control advice requested: the sysadmin has become the IT manager

Hi,

 

There are a number of controls/capabilities that could be put in place depending on your environment/budget and risk profile. Some that come to mind for additional investigation based on your circumstances:

  • Privileged Access Logging
  • Privileged Session Recording
  • Brokered Access/Secure Channel
  • Password Vaulting
  • Strong Authentication (MFA)
  • Just in Time Access
  • Account Checkout

 

Privileged Access Management. (Identify/Detect/Prevent) (Vendors Cyberark/Osirium and others)

  • It is not uncommon in even large organisations to have one or more individuals that have keys to the kingdom.
  • There is always a case where someone has to get into a system for normal operational maintenance and troubleshooting.(Possibly in normal cases through a directory account e.g. AD/LDAP
  • There is also the case where someone needs higher privilege on a system (root/local admin/domain admin )

- However the introduction of a PIM/PAM solution can help in the following ways

-- Often can host the root /local / breakglass accounts to get into systems with access audited. Admins should not be using these credentials on a daily basis and should lower level accounts for standard operations.

-- Can provide session brokering. When Admin needs to access system as priv user, they log into through the PAM solution (using familiar tools SSH/RDP etc). The PAM solution maintains the privileged account (username and password) and injects this into the session. IT Admin on a normal day does not need this. PAM solution is the only one that knows the password (sets it something of the max that the device supports and rotates on a frequent basis automatically)

-- Can provide session  and keystroke auditing. When admin logs into SSH / RDP and types reboot / format this is recorded. (Time, Source Workstation, Session length, Commands typed , screen recording)

-- Account discovery: When a user leverages an existing priv account to create a sanctioned/unsanctioned account this can be discovered and alerted.

 

Audit/Access Logging (Detect/Respond/Recover)

- For all security controls whether local OS logs and logs from other systems like PAM solution these should at a min be centrally stored and protected from destruction.

- If you have an internal security operations capability to monitor through a SIEM/ SOAR then all the better.

- Identify systems not being accessed through the PAM solution (While possible a valid use case should be investigated)

 

As some of the other replies have mentioned best practise around giving people rights based on least privilege should be adhered to. I have known many IT Managers that have zero access to systems at they are not operational staff (your situation is obviously different) , but if possible reduce access but have processes in place that access can be acquired without interfering with business operations/restoring business operations.

 

Sometimes people (that are technical) just want to know that if they have to get behind the keyboard to solve something that there is a prescribed way to do it when required.

 

M