Restricting administrative privileges is one of the most effective mitigation strategies in ensuring the security of systems. As such, restricting administrative privileges forms part of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.
Why administrative privileges should be restricted
Users with administrative privileges for operating systems and applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information. Domain administrators have similar abilities for an entire network domain, which usually includes all of the workstations and servers on the network.
Adversaries often use malicious code (also known as malware) to exploit security vulnerabilities in workstations and servers. Restricting administrative privileges makes it more difficult for an adversary’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after reboot, obtain sensitive information or resist removal efforts.
An environment where administrative privileges are restricted is more stable, predictable, and easier to administer and support, as fewer users can make significant changes to their operating environment, either intentionally or unintentionally.
Approaches which do not restrict administrative privileges
There are a number of approaches which, while they may appear to provide many of the benefits of restricting administrative privileges, do not meet the intent of this mitigation strategy, and in some cases may actually increase the risk to an organisation’s network. These approaches include:
- simply minimising the total number of privileged accounts
- implementing shared non-attributable privileged accounts
- temporarily allocating administrative privileges to user accounts
- placing standard user accounts in user groups with administrative privileges.
How to restrict administrative privileges
The correct approach to restricting administrative privileges is to:
- identify tasks which require administrative privileges to be performed
- validate which staff members are required and authorised to carry out those tasks as part of their duties
- create separate attributable accounts for staff members with administrative privileges, ensuring that their accounts have the least amount of privileges needed to undertake their duties
- revalidate staff members’ requirements to have a privileged account on a frequent and regular basis, or when they change duties, leave the organisation or are involved in a cyber security incident.
To reduce the risks of using privileged accounts, organisations should ensure that:
- technical controls prevent privileged accounts from undertaking risky activities such as reading emails and opening attachments or browsing the web
- system administration is undertaken in a secure manner by implementing the guidance in the Secure Administration publication [1].
Get Advice
We can speak with you regarding the restriction of Admin Priviledges. What to expect from your technical team and your end users.
Change is hard and we can provide you the stepping stones to achieve this requirement.
Quick Links
- Videos
- End User experience to Admin Loss
- Managing Admin Restriction (An IT Guide)
- Business Overheads to Administration Rights removal
Maturity Levels – Application Control
Level One
Privileged access to systems, applications and data repositories is validated when first requested.
Policy security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services.
Level Two
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.
Policy security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services.
Level Three
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.
Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties.
Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services.