5 Steps to Protect Privileged Users from Compromising

        In this article we give some recommendations, which can help to protect privileged accounts from compromising. One of the most common target attack scenarios consists of the following steps:

        - Phishing (Initial access). After a successful phishing the attacker goes to the stage of gaining access to the endpoint and compromise the local user.
        - Privilege escalation. At this stage, if the user does not have administrator rights, the attacker proceeds to the local privilege escalation stage.
        - Obtaining privileges (Credential access). If a domain administrator or another privileged user is connected to the compromised endpoint, the attacker will receive passwords from the accounts used.
        - Distribution (Lateral movement). Compromising AD, when the attacker gains access to domain administrator accounts.

        Hence it follows that the key task of the attacker is to gain access to privileged accounts. Since this task solved the further expansion within victim’s infrastructure becomes possible.

         

        Odoo CMS - a big picture
        How to resist unauthorized access to privileged accounts?
        To prevent unauthorized access, you must perform the following steps, which we will explore in details.
        1. Use different administrative accounts.
        2. Maintain the internal password policy.
        3. Use Local Administrator Solution (LAPS) tools.
        4. Use multi-factor authentication.
        5. Use Privileged Access Workstation (PAW) tools.

        Additionally, in order to monitor the actions of privileged accounts, you should use tools like Privileged Access Manager (PAM), which allow you to write text or video log about any actions of accounts with elevated privileges.
        Using different accounts

        It is recommended that you create granular accounts with the minimum privileges necessary to perform certain tasks. In the administration process, you need to use only accounts with the optimal set of privileges: e. g. "database server", "web", "workstation administrator" and others. Be sure to conduct training for employees who will use accounts with elevated privileges. In particular, it is worth informing about how to use the privileges of administrators. For example, you should not share such privileges with other colleagues who do not have them, according to internal security policies.
            
        Important! Do not give a domain administrator account to domain users so that they can fix certain problems on the workstation. No matter how urgent the task is, never provide absolute access unless it is critically necessary for the functioning of the infrastructure.

        Implementation of this recommendation will make possible to reduce the risk of account compromise with absolute rights in the infrastructure.

        Inner password policy

        It is recommended to develop an internal password management policy for all account types. It should adjust parameters such as the level of complexity of passwords, the frequency of updates and the like. Passwords are conveniently managed using tools like Local Administrator Password Solution.

        Implementation of this recommendation will reduce the risk of compromise passwords of user accounts and administrators.
        Using Local Administrator Password Solution (LAPS)

        Active Directory has a built-in LAPS functionality. This tool can be used to manage passwords for local administrators on domain-connected computers. LAPS functionality includes:
        • unique passwords for each managed computer, randomly generated
        • verification of passwords that have expired
        • replacing old passwords according to internal password management policies
        LAPS functionality can be controlled using group policies.

        Implementation of this recommendation will enable password management according to internal policies using the built-in Active Directory tool.
        Multi-factor authentication

        There are many tools for obtaining administrator passwords from the RAM of a workstation or server. For example, mimikatz helps to get a password dump from RAM, and Bloodhound provides account information with elevated privileges. Using multifactor authentication allows you to avoid password compromise, since in addition to the password itself, additional factor parameters are used to log in to the account.
        Thus, the multifactor authentication technique provides additional protection for accounts with elevated privileges. User authorization in this case looks like this:
        • After entering the login and password the system prompts the user for additional login options
        • The user enters an additional parameter, for example, a generated code with a limited duration. There may be several parameters, depending on the number of authentication factors.
        • After all the authentication steps have been completed correctly, the user is logged into the account with elevated privileges.

        Implementation of this recommendation will minimize the risk of compromised accounts with elevated privileges.
        Using Privileged Access Workstation (PAW) Tools

        The essence of PAW’s work is to delimit operating environments where both regular accounts and elevated privileges are used. It is recommended to use regular accounts only on workstations. If you need to perform an administrative task, a new account is used, which opens the entrance to the local machine, and in the new environment it enters an account to perform an administrative task.
        This technique allows you to create a buffer machine between the workstation and critical assets. The peculiarity of such a machine is that it has no way out and is located in a separate network segment. This reduces the risk of infection, for example, through using phishing emails, installing untested software etc. In addition, such a buffer machine can be rebooted without the risk of impact on business processes.
        Note. Reboot allows you to clear the RAM from the traces of the used accounts.

        Managing user accounts and user identification is an ongoing process within the organization’s operations. Proper adjustment of this process with the use of all the tools and recommendations will significantly reduce the risk of compromising accounts and complicate the work of criminals during targeted attacks