It’s necessary in every organisation for some users or teams to hold a higher level of access than standard users have. This allows changes to permissions, updates to applications and operating systems, and the provisioning of new resources. However, if an adversary gets access to privileged accounts, they can use this to execute damaging attacks.

By restricting administrative privileges, it makes it more difficult for an adversary’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after reboot, obtain sensitive information, or resist removal efforts. Therefore, organisations need to ensure they implement effective mitigation strategies to restrict administrative privileges.

As a result of restricting administrative privileges, an organisation’s environment becomes more stable, predictable, and easier to administer and support as fewer users can make significant changes to the operating environment, either intentionally or unintentionally.

The ACSC determines the following approaches do not meet the intent of restricting administrative privileges and in some cases, may increase the risk to an organisation’s network:

  • simply minimising the total number of privileged accounts
  • implementing shared non-attributable privileged accounts
  • temporarily allocating administrative privileges to user accounts
  • placing standard user accounts in user groups with administrative privileges
Correct approach to restricting administrative privileges

The ACSC states that the following is the correct approach to Restrict Administrative Privilege:

  • identify tasks which require administrative privileges to be performed
  • validate which staff members are required and authorised to carry out those tasks as part of their duties
  • create separate attributable accounts for staff members with administrative privileges, ensuring that their accounts have the least amount of privileges needed to undertake their duties
  • revalidate staff members’ requirements to have a privileged account on a frequent and regular basis, or when they change duties, leave the organisation, or are involved in a cyber security incident.

To reduce the risks of using privileged accounts, the ACSC states organisations should ensure that:

  • technical controls prevent privileged accounts from undertaking risky activities such as reading emails and opening attachments or browsing the web
  • system administration is undertaken in a secure manner by implementing the guidance in the Secure Administration publication
REMEDIATION STRATEGIES

Maturity Level One

Organisations at Maturity Level One will establish a request validation policy and procedure to validate requests for privilege assignment, ensuring that privileges are assigned on the principal of least privilege and establish appropriate role groups for the delegation of specific administrative privileges.

Utilising an Application Control system or another similar mechanism, organisations will prevent administrative accounts (excluding service accounts) from accessing the internet, email and web services.

Organisations will provide administrators with a separate environment (such as an Azure Virtual Desktop workstation) to perform administrative functions, restrict normal user accounts from signing into the separate administrative environment, and prevent administrative accounts, with an exception for a dedicated local administration account, from signing into standard workstations.

Maturity Level Two

Maturity Level Two organisations expand their strategy to reduce privilege when it is no longer required. This includes establishing administrative processes to revalidate issued privileges at least annually and ensuring revalidation is recorded and tracked, establishing monitoring for inactive, enabled administrative accounts and reviewing any that are inactive for 45+ days – either as a manual or automated task.

At this level, an organisation needs to ensure all administrative operating environments are hosted in privileged environments and not virtualised on unprivileged endpoints, such as those belonging to system administrators and all local, administrative, and service accounts utilise distinct, unique usernames as well as unique, randomly generated, strong passwords.

Logging policies for Microsoft 365 and on-premises domains need to be established to log all use and modification of privileged credentials and all changes made to privileged groups and roles.

Maturity Level Three

Expanding on Maturity Levels One and Two, organisations at Maturity Level Three need to regularly audit and ensure all issued administrative privileges are not ‘over-scoped,’ and only have sufficient privileges to perform the individual user or services required business functions.

They also need to prevent all privileged accounts, including service accounts, from accessing the internet, email, and web services. Implementation of a Just- in-Time administrative system requiring all privileged users to ‘check in’ and ‘check out’ their privileges when required, rather than being permanently assigned privileges is also necessary at this Maturity Level.

A central configuration policy needs to be implemented to enable Windows Defender Credential Guard and Remote Credential Guard for all assets and Remote Desktop hosts, and implementation of a SIEM system to log all use of and modifications of privileged user accounts and groups. Organisations need to monitor this logged information for signs of compromise and act on these events when they occur.