I’m a big promoter of protecting admin authority and when I talk about admin authority risks I use both the term exploit in addition to abuse. So I’m not just talking about malicious admins (i.e. abuse). Rogue admins do exist but the bigger risk is a bad guy exploiting the authority of an honest privileged user (i.e. exploit). There are many ways to do this ranging from credential theft, privileged escalation, horizontal movement by APTs and more.
Normally, I focus on admin authority in Active Directory but this time I’m concentrating on local admin authority on member servers because at the end of the day it’s just as important. You have to protect privileged access on both levels:
- If I can exploit or abuse admin authority in AD, I can take over any system in the forest and ultimately access any database, application or information
- If I can exploit or abuse admin authority on a member server, I can access any database, application or information on that server
From one perspective it immediately seems like AD is the one to concentrate on since the scope of risk is the entire forest. But wait a second. There are specific data we must protect and at the end of the day it’s doesn’t matter to the bad guy or stock holder whether the weak point was Active Directory or the local server. You absolutely must protect both levels. Another example of why my new mantra is “You have to do everything right”.
In this webinar, I’ll show you how local admin authority on Windows Server works. Just to be clear, I’m not just talking about the local Administrator user but anyone with privileged authority on a given server. That primarily translates to the members of the local Administrators group but there are additional ways to get privileged access to Windows and we’ll cover them.
In the IT audits I perform, I frequently find systems with, once you count them all up, an inordinate amount of users with all power all admin authority on key member servers – like database servers, application servers, security solution hosts and virtual infrastructure management servers (e.g. VMWare vCenter). If you can gain or abuse admin authority on these servers – who cares about AD?
Sometimes the reason for so many local admins is because different software on the server is managed by different teams. For instance, if you have one team that manages Windows Server itself, another database admin team that owns SQL Server, a security team that owns a vulnerability assessment agent on that server and then the application admins, you can easily have over 20 privileged users besides your domain admins.
So, I’ll explore how to implement least privilege on Windows. While the Windows OS is nowhere as granular as AD in terms of delegation of control, there are a number of tasks in Windows that can be delegated if you know how to do it. We will look at service permissions, user rights, user account control, RunAs and more.
Regardless of whether your admin authority is very restricted or not, your ultimate control is auditing and we’ll look at what admin activity you can audit with the Windows security and identity what simply cannot.
Centrify is my sponsor for this event and Brad Zehring, Director of Product Marketing, will follow up my presentation by demonstrating how their Windows Least Privilege and Audit solution gives you much more control over local admin authority and provides a full fidelity audit trail of everything an administrator does.
Don’t miss this real training for free™! Please register now!