1. Understanding account and privilege management
Account Management Tasks:
- implement the principles of least privilege: An individual should only have the minimum set of privileges necessary to complete their assigned job duties
- Implement separation of duties: Performing sensitive actions should require the collaboration of two individuals
- implementing job rotation schemes: regularly move people between jobs to prevent fraud
- managing the account life cycle: Provisioning new user access, modifying access as the role changes, terminating/deprovisioning the user
You should use a standard naming convention to facilitate user identification. Egg: firstinitialsurname
2. Account Types
Most of the accounts that we manage are standard user accounts. They’re assigned to an individual user and grant routine access to resources. User accounts should be subject to routine monitoring for compromise and should follow a lifecycle management process for provisioning and deprovisioning.
These accounts have administrative rights and require strong controls. Privileged accounts should not be used for routine activities. It’s easy for users with privileged access to make mistakes and cause unintended but drastic consequences. Also, the more you use an account, the higher the likelihood of compromise. Therefore, administrative users who require privileged access typically have standard user accounts that they use for most of their routine activity and then they manually elevate their account to privileged status when they need to issue an administrative command. The exact mechanism for this elevation will vary depending upon the Access Control System, but it may consist of logging in with a different account, assuming an administrative role, or issuing a sudo command.
Guest accounts provide users with temporary access to resources. Guest accounts should be tied to unique individuals and should expire after a reasonable period of time.
These are accounts where more than one individual has access to use the account. Generally speaking, these accounts are a bad idea. It is difficult to trace who performed an action with a shared account.
These are a special type of account used internally by a system to run a process or perform other actions. These accounts typically have privileged access and should be carefully controlled.
You should configure service accounts so that they may not be used to log on to the system interactively and their passwords should not be known by anyone.
3. Account policies
Security professionals may take advantage of account policies to apply security requirements and other configuration settings across the domain. Windows Active Directory provides group policy functionality to allow this type of configuration. Administrators may create group policy objects, or GPOs, which are groups of configuration settings, and then apply those GPOs to either an entire domain or smaller groups of users and computers, known as organisational units.
4. Password Policies
Passwords are among the most common authentication mechanisms and it’s important to ensure that they are secure. Administrators may use Group Policy Objects to securely configure passwords to require good password practices by end users.
Password Policies can include:
- Passwords must be at least 8 characters long
- passwords must include different types of characters such as uppercase letters, lowercase letters, digits, and symbols
- mandatory password expiration policies that force users to change their passwords periodically (EG: 90 days)
- Prevent reuse of old passwords
- Lockout accounts after entering incorrect password x amount of times
- Make sure to disable accounts no longer in use
Password Recovery Mechanisms
Some organisations use a password recovery mechanism which allow users to reset passwords on a self service basis. This relieves the burden on helpdesk staff.
5. Managing Roles
Roles provide administrators with an easy way to manage security permissions. Administrators can create roles which group permissions together in a manner that they may be assigned to multiple users at the same time. In Windows we can use security groups to manage roles and their permissions.
Benefit of roles:
- they simplify account management
- administrators can simply assign a new user to the team’s role and then the user will get all of the permissions already associated with their new job
- When the user leaves the administrator removes them from the role and the permissions are removed
6. Account Monitoring
Two major account administration issues face security professionals:
- Inaccurate permissions assigned to accounts that either prevent a user from doing his or her work, or violate the principle of least privilege. These permissions are often the result of privilege creep, a condition that occurs when users switch jobs and gain new permissions but never have their old permissions revoked.
- Illegitimate use of account either by someone other than the legitimate user accessing the account, or by the user performing some illegitimate action.
User Access Reviews
To prevent against a user having inaccurate permissions, administrators should perform regular user access reviews in cooperation with managers from around the organisation.
During these reviews:
- Pull lists of user permissions
- Review permissions with managers
- Make an y necessary adjustments
- Focus on users who recently changed roles
Continuous Account Monitoring
Protecting against the unauthorised use of permissions is a little trickier, because it can be hard to detect. This requires the use of continuous account monitoring systems that watch for suspicious activity and alert administrators to strange actions. This includes things like:
- Unusual login locations
- Strange login times
- Deviations from normal behaviour (accessing unusual resources)
- High volume activity (bulk downloading information)
7. Provisioning and deprovisioning accounts
Account administrators are responsible for managing the provisioning and deprovisioning of user accounts. This involves two core activities.
When a new user joins the organisation, administrators ensure that they go through the appropriate onboarding process and then they provision a user account for that individual. This involves creating authentication credentials and granting the user appropriate authorisations based upon their job function.
Then when a user leaves the organisation, administrators ensure that they go through an offboarding process that includes deprovisioning the account to remove their credentials and authorisations at the appropriate time.
Failure to terminate accurately:
- If deprovisioned too early the user may find out about the pending termination
- If deprovisioned too late the user has access to resources after termination