SYS-CON MEDIA Authors: Elizabeth White, Pat Romanski, Liz McMillan, Yeshim Deniz, Courtney Abud

Article

Security Hardening of Windows by Reducing Privileged Access

5 steps to ensure ongoing privileged access security

By Derek Melber, Technical Evangelist, ManageEngine

As I tour the world helping Active Directory administrators, auditors and security professionals secure their Windows environment, I often get questions about privileged access. The questions usually are about how privileges are granted and how an organization can know if its privileges are correct. These are great questions considering the onset of so many attacks on Windows in the past five to seven years. It is important to see that privileged access is usually at the core of these attacks.

There are many ways to grant privileges in a Windows environment. Granting privileges is rather easy. Reporting and analyzing the current privileged access, however, can be a bit harder. There is no centralized location that shows an administrator or auditor the current privileged access. Understanding the different technologies and features that grant privileged access is the first step. Then, for each area where privileges can be granted, there are five steps that should be taken to ensure ongoing privileged access security.

Those steps include:

  • Reporting on the current settings
  • Analyzing the settings to understand who has privileged access
  • Configuring the correct privileged access
  • Monitoring for changes to privileged access
  • Alerting, in real time, for key privileged access changes

 

The technologies and features in a Windows environment that grant privileged access include:

  • Group membership
  • User rights
  • Access control lists or permissions
  • Delegation

Group Membership

Depending on how the group is configured in the environment, it can have the highest level of privileges or just a few privileges. For example, the Domain Admins group has nearly the highest level of privileges in the entire Active Directory domain. Just adding a user to this group grants this level of privilege. However, the most complex concept with reporting on groups is to get the recursive group members, i.e., the users who are located in nested groups of the main group and who need to be reported as well.

There are plenty of reporting tools that can get group membership recursively, though. PowerShell by Microsoft and ADManager Plus by ManageEngine are two options.

User Rights

User rights control global access over different aspects of a domain controller, server or workstation. User rights are configured using Group Policy, giving granular control of each computer individually. Therefore, each computer could have a unique set of user rights, making the reporting and configuration of these settings difficult and time consuming.

Every Windows computer comes with a built-in tool, secpol.msc, which can report the current user rights on each computer. The tool must be run locally, but it is extremely powerful and gives precise configurations. Since each user right provides some level of privilege over the computer, each and every user right should be evaluated and configured to meet the minimum requirements for server access.

Access Control Lists

Controlling access to files and folders is essential for assuring the security of data within any organization. You need to properly configure the access control lists for your key data and ensure that they only provide access to the appropriate people. The wrong privileges granted to a file or folder could severely hurt, or even destroy, a company.

Reporting on who has access to a file or folder is a monumental task, due to the volume of files and folders on a typical network. Therefore, selection of the most important data must occur, and then those selected files and folders can be the focus of the security hardening. There are many tools that can help report on data access control lists, but if you do not want to purchase a tool, you can always use the built-in xcacls.exe tool, which comes with all Windows computers.

Delegation

The concept of delegation falls under the category of access control lists, but it is a specific term used for Active Directory and Group Policy management. Due to the complexity of Active Directory delegation, the configuration of the delegation is typically done through the Delegate Control Wizard. This wizard is located on the drop-down menu for the domain node for each Organizational Unit in the Active Directory Users and Computers tool. The wizard defines which account (user or group) is granted a specific task. The most common tasks are resetting passwords for users and modifying group membership, both of which have a potential impressive security impact if the wrong account is granted the delegation.

The Delegate Control Wizard can only configure the delegations-it can't report or remove delegations. Therefore, a different tool must be used for each task. The built-in dsacls.exe tool is ideal for reporting on delegations for each Active Directory node. As for modifications to existing delegations, that is typically left up to manual efforts performed on the Security tab located on the object's Property page.

Summary

Assuring that privileged access is understood, configured properly and monitored is a huge step toward hardening the security of your Windows environment. Without the correct reports, configurations or monitoring, it is impossible to know what privileges are granted. Beyond that, without the knowledge of privileged access, you are leaving your organization open for an easy attack. However, with the correct tools in place to monitor and alert on changes to correct privileged access, there is little that can sneak by you if an attack occurs.

Derek Melber is the technical evangelist for ManageEngine, a division of Zoho Corporation. As one of only a handful of Microsoft Group Policy MVPs, Derek helps Active Directory administrators, auditors and security professionals understand the finer points of how to manage, audit, recover and solve issues that occur in Active Directory and Group Policy. He educates IT professionals worldwide on Active Directory, Group Policy and Security and has authored over 15 books on Windows security and management. He's famous for his video shorts in which he offers quick, practical solutions for Active Directory management.

More Stories By ManageEngine IT Matters

ManageEngine believes IT management can be simple and affordable. Our authors share insights and how-to tips for SMBs and large enterprises. Over 120,000 companies around the world – including three of every five Fortune 500 companies – trust our products to manage their networks, data centers, business applications, and IT services, and security. We take a straightforward, customer-centric approach to IT management software. Our customers' needs drive our product philosophy. And we've built a strong, in-house R&D team to support our product team and turn customer requests into product realities. We look forward to hearing from you.

Latest Stories
Eggplant, the customer experience optimization specialist, announced the latest enhancements to its Digital Automation Intelligence (DAI) Suite. The new capabilities augment Eggplant’s continuous intelligent automation by making it simple and quick for teams to test the performance and usability of their products as well as basic functionality, delivering a better user experience that drives business outcomes.
Intel is an American multinational corporation and technology company headquartered in Santa Clara, California, in the Silicon Valley. It is the world's second largest and second highest valued semiconductor chip maker based on revenue after being overtaken by Samsung, and is the inventor of the x86 series of microprocessors, the processors found in most personal computers (PCs). Intel supplies processors for computer system manufacturers such as Apple, Lenovo, HP, and Dell. Intel also manufactu...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...
Conor Delanbanque has been involved with building & scaling teams in the DevOps space globally. He is the Head of DevOps Practice at MThree Consulting, a global technology consultancy. Conor founded the Future of DevOps Thought Leaders Debate. He regularly supports and sponsors Meetup groups such as DevOpsNYC and DockerNYC.
"There is a huge interest in Kubernetes. People are now starting to use Kubernetes and implement it," stated Sebastian Scheele, co-founder of Loodse, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
Here to help unpack insights into the new era of using containers to gain ease with multi-cloud deployments are our panelists: Matt Baldwin, Founder and CEO at StackPointCloud, based in Seattle; Nic Jackson, Developer Advocate at HashiCorp, based in San Francisco, and Reynold Harbin, Director of Product Marketing at DigitalOcean, based in New York. The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, John Jelinek IV, a web developer at Linux Academy, will discuss why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers...
Using serverless computing has a number of obvious benefits over traditional application infrastructure - you pay only for what you use, scale up or down immediately to match supply with demand, and avoid operating any server infrastructure at all. However, implementing maintainable and scalable applications using serverless computing services like AWS Lambda poses a number of challenges. The absence of long-lived, user-managed servers means that states cannot be maintained by the service. Lo...
With the new Kubernetes offering, ClearDATA solves one of the largest challenges in healthcare IT around time-to-deployment. Using ClearDATA's Automated Safeguards for Kubernetes, healthcare organizations have access to the container orchestration to dynamically deploy new containers on demand, monitor the health of each container for threats and seamlessly roll back faulty application updates to a previous version, avoid system-wide downtime and ensure secure continuous access to patient data.
As Apache Kafka has become increasingly ubiquitous in enterprise environments, it has become the defacto backbone of real-time data infrastructures. But as streaming clusters grow, integrating with various internal and external data sources has become increasingly challenging. Inspection, routing, aggregation, data capture, and management have all become time-consuming, expensive, poorly performing, or all of the above. Elements erases this burden by allowing customers to easily deploy fully man...
Applications with high availability requirements must be deployed to multiple clusters to ensure reliability. Historically, this has been done by pulling nodes from other availability zones into the same cluster. However, if the cluster failed, the application would still become unavailable. Rancher’s support for multi-cluster applications is a significant step forward, solving this problem by allowing users to select the application and the target clusters, providing cluster specific data. Ranc...
StackRox helps enterprises secure their containerized and Kubernetes environments at scale. The StackRox Container Security Platform enables security and DevOps teams to enforce their compliance and security policies across the entire container life cycle, from build to deploy to runtime. StackRox integrates with existing DevOps and security tools, enabling teams to quickly operationalize container and Kubernetes security. StackRox customers span cloud-native startups, Global 2000 enterprises, a...