SYS-CON MEDIA Authors: Pat Romanski, Gary Arora, Zakia Bouachraoui, Yeshim Deniz, Liz McMillan

Article

Security Hardening of Windows by Reducing Privileged Access

5 steps to ensure ongoing privileged access security

By Derek Melber, Technical Evangelist, ManageEngine

As I tour the world helping Active Directory administrators, auditors and security professionals secure their Windows environment, I often get questions about privileged access. The questions usually are about how privileges are granted and how an organization can know if its privileges are correct. These are great questions considering the onset of so many attacks on Windows in the past five to seven years. It is important to see that privileged access is usually at the core of these attacks.

There are many ways to grant privileges in a Windows environment. Granting privileges is rather easy. Reporting and analyzing the current privileged access, however, can be a bit harder. There is no centralized location that shows an administrator or auditor the current privileged access. Understanding the different technologies and features that grant privileged access is the first step. Then, for each area where privileges can be granted, there are five steps that should be taken to ensure ongoing privileged access security.

Those steps include:

  • Reporting on the current settings
  • Analyzing the settings to understand who has privileged access
  • Configuring the correct privileged access
  • Monitoring for changes to privileged access
  • Alerting, in real time, for key privileged access changes

 

The technologies and features in a Windows environment that grant privileged access include:

  • Group membership
  • User rights
  • Access control lists or permissions
  • Delegation

Group Membership

Depending on how the group is configured in the environment, it can have the highest level of privileges or just a few privileges. For example, the Domain Admins group has nearly the highest level of privileges in the entire Active Directory domain. Just adding a user to this group grants this level of privilege. However, the most complex concept with reporting on groups is to get the recursive group members, i.e., the users who are located in nested groups of the main group and who need to be reported as well.

There are plenty of reporting tools that can get group membership recursively, though. PowerShell by Microsoft and ADManager Plus by ManageEngine are two options.

User Rights

User rights control global access over different aspects of a domain controller, server or workstation. User rights are configured using Group Policy, giving granular control of each computer individually. Therefore, each computer could have a unique set of user rights, making the reporting and configuration of these settings difficult and time consuming.

Every Windows computer comes with a built-in tool, secpol.msc, which can report the current user rights on each computer. The tool must be run locally, but it is extremely powerful and gives precise configurations. Since each user right provides some level of privilege over the computer, each and every user right should be evaluated and configured to meet the minimum requirements for server access.

Access Control Lists

Controlling access to files and folders is essential for assuring the security of data within any organization. You need to properly configure the access control lists for your key data and ensure that they only provide access to the appropriate people. The wrong privileges granted to a file or folder could severely hurt, or even destroy, a company.

Reporting on who has access to a file or folder is a monumental task, due to the volume of files and folders on a typical network. Therefore, selection of the most important data must occur, and then those selected files and folders can be the focus of the security hardening. There are many tools that can help report on data access control lists, but if you do not want to purchase a tool, you can always use the built-in xcacls.exe tool, which comes with all Windows computers.

Delegation

The concept of delegation falls under the category of access control lists, but it is a specific term used for Active Directory and Group Policy management. Due to the complexity of Active Directory delegation, the configuration of the delegation is typically done through the Delegate Control Wizard. This wizard is located on the drop-down menu for the domain node for each Organizational Unit in the Active Directory Users and Computers tool. The wizard defines which account (user or group) is granted a specific task. The most common tasks are resetting passwords for users and modifying group membership, both of which have a potential impressive security impact if the wrong account is granted the delegation.

The Delegate Control Wizard can only configure the delegations-it can't report or remove delegations. Therefore, a different tool must be used for each task. The built-in dsacls.exe tool is ideal for reporting on delegations for each Active Directory node. As for modifications to existing delegations, that is typically left up to manual efforts performed on the Security tab located on the object's Property page.

Summary

Assuring that privileged access is understood, configured properly and monitored is a huge step toward hardening the security of your Windows environment. Without the correct reports, configurations or monitoring, it is impossible to know what privileges are granted. Beyond that, without the knowledge of privileged access, you are leaving your organization open for an easy attack. However, with the correct tools in place to monitor and alert on changes to correct privileged access, there is little that can sneak by you if an attack occurs.

Derek Melber is the technical evangelist for ManageEngine, a division of Zoho Corporation. As one of only a handful of Microsoft Group Policy MVPs, Derek helps Active Directory administrators, auditors and security professionals understand the finer points of how to manage, audit, recover and solve issues that occur in Active Directory and Group Policy. He educates IT professionals worldwide on Active Directory, Group Policy and Security and has authored over 15 books on Windows security and management. He's famous for his video shorts in which he offers quick, practical solutions for Active Directory management.

More Stories By ManageEngine IT Matters

ManageEngine believes IT management can be simple and affordable. Our authors share insights and how-to tips for SMBs and large enterprises. Over 120,000 companies around the world – including three of every five Fortune 500 companies – trust our products to manage their networks, data centers, business applications, and IT services, and security. We take a straightforward, customer-centric approach to IT management software. Our customers' needs drive our product philosophy. And we've built a strong, in-house R&D team to support our product team and turn customer requests into product realities. We look forward to hearing from you.

Latest Stories
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the competition, or worse, just keep up. Each new opportunity, whether embracing machine learning, IoT, or a cloud migration, seems to bring new development, deployment, and management models. The results are more diverse and federated computing models than any time in our history.
On-premise or off, you have powerful tools available to maximize the value of your infrastructure and you demand more visibility and operational control. Fortunately, data center management tools keep a vigil on memory contestation, power, thermal consumption, server health, and utilization, allowing better control no matter your cloud's shape. In this session, learn how Intel software tools enable real-time monitoring and precise management to lower operational costs and optimize infrastructure...
"Calligo is a cloud service provider with data privacy at the heart of what we do. We are a typical Infrastructure as a Service cloud provider but it's been designed around data privacy," explained Julian Box, CEO and co-founder of Calligo, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Isomorphic Software is the global leader in high-end, web-based business applications. We develop, market, and support the SmartClient & Smart GWT HTML5/Ajax platform, combining the productivity and performance of traditional desktop software with the simplicity and reach of the open web. With staff in 10 timezones, Isomorphic provides a global network of services related to our technology, with offerings ranging from turnkey application development to SLA-backed enterprise support. Leadin...
While a hybrid cloud can ease that transition, designing and deploy that hybrid cloud still offers challenges for organizations concerned about lack of available cloud skillsets within their organization. Managed service providers offer a unique opportunity to fill those gaps and get organizations of all sizes on a hybrid cloud that meets their comfort level, while delivering enhanced benefits for cost, efficiency, agility, mobility, and elasticity.
DevOps has long focused on reinventing the SDLC (e.g. with CI/CD, ARA, pipeline automation etc.), while reinvention of IT Ops has lagged. However, new approaches like Site Reliability Engineering, Observability, Containerization, Operations Analytics, and ML/AI are driving a resurgence of IT Ops. In this session our expert panel will focus on how these new ideas are [putting the Ops back in DevOps orbringing modern IT Ops to DevOps].
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
Enterprises are striving to become digital businesses for differentiated innovation and customer-centricity. Traditionally, they focused on digitizing processes and paper workflow. To be a disruptor and compete against new players, they need to gain insight into business data and innovate at scale. Cloud and cognitive technologies can help them leverage hidden data in SAP/ERP systems to fuel their businesses to accelerate digital transformation success.
Most organizations are awash today in data and IT systems, yet they're still struggling mightily to use these invaluable assets to meet the rising demand for new digital solutions and customer experiences that drive innovation and growth. What's lacking are potent and effective ways to rapidly combine together on-premises IT and the numerous commercial clouds that the average organization has in place today into effective new business solutions.
Concerns about security, downtime and latency, budgets, and general unfamiliarity with cloud technologies continue to create hesitation for many organizations that truly need to be developing a cloud strategy. Hybrid cloud solutions are helping to elevate those concerns by enabling the combination or orchestration of two or more platforms, including on-premise infrastructure, private clouds and/or third-party, public cloud services. This gives organizations more comfort to begin their digital tr...
Keeping an application running at scale can be a daunting task. When do you need to add more capacity? Larger databases? Additional servers? These questions get harder as the complexity of your application grows. Microservice based architectures and cloud-based dynamic infrastructures are technologies that help you keep your application running with high availability, even during times of extreme scaling. But real cloud success, at scale, requires much more than a basic lift-and-shift migrati...
David Friend is the co-founder and CEO of Wasabi, the hot cloud storage company that delivers fast, low-cost, and reliable cloud storage. Prior to Wasabi, David co-founded Carbonite, one of the world's leading cloud backup companies. A successful tech entrepreneur for more than 30 years, David got his start at ARP Instruments, a manufacturer of synthesizers for rock bands, where he worked with leading musicians of the day like Stevie Wonder, Pete Townsend of The Who, and Led Zeppelin. David has ...
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Addteq is a leader in providing business solutions to Enterprise clients. Addteq has been in the business for more than 10 years. Through the use of DevOps automation, Addteq strives on creating innovative solutions to solve business processes. Clients depend on Addteq to modernize the software delivery process by providing Atlassian solutions, create custom add-ons, conduct training, offer hosting, perform DevOps services, and provide overall support services.