Restrict Administrative Privileges - ACSC's Essential Eight mitigation strategy

"Hi, my name is Michael, and I'm a Cyber Security Consultant here at AC3.

Next in our Essential Eight series, I'm covering what strategies organisations need to implement when it comes to restricting administrative privileges.

It's necessary in every organisation for some users or teams to hold the keys to the kingdom or at least a higher level of access than standard users have. This allows changes to permissions, updates to applications and operating systems, and the provisioning of new resources.

However, if an adversary gets access to privileged accounts, they can use this to execute damaging attacks.

Across all levels of maturity, organisations need to be validating requests for privileged access to systems and applications, ensuring that only users with a business requirement have elevated access.

It's also important at every maturity level to ensure privileged users use separate privileged and unprivileged operating environments and that unprivileged accounts cannot log in to privileged operating environments.This helps prevent what is known as privilege escalation.

To reach Maturity Level Two, organisations must take additional steps to reduce privilege when it is no longer required. This includes automatically disabling privileged access to systems and applications after twelve months, unless the business requirement is invalidated, and automatically disabling access after 45 days of inactivity.

Organisations will also need to ensure privileged operating environments are not virtualised within unprivileged operating environments, credentials for local administrator accounts and service accounts are unique, unpredictable, and managed, and administrative activities are conducted through jump servers.

Level Two organisations will also need to log the use of privileged access and changes to privileged accounts and groups.

The main change for an organisation seeking Maturity Level Three is to implement what's known as ‘Just in Time’ administration.

These tools require all privileged users to ‘check in’ and ‘check out’ the privilege when it is required, rather than being permanently assigned elevated access.

If you would like guidance on which maturity level is right for your organisation or how effective your mitigation strategies are, please reach out to the team. We'd love to help."

AC3's Essential Eight Security Control Assessment can benchmark your current strategies against the ACSC's Essential Eight maturity models. Find out more here.