Gaining access to administrative accounts is often the goal of an attacker. What can you do to ensure that only the appropriately trained and fully accountable people have and maintain administrative access on your systems? This effort must start with an accurate inventory of every account with elevated access and must be strictly maintained. The change control board should approve every new account that requires persistent administrative access. Maintaining strict admission guidelines for administrative access will help curb the desire for everyone to be an administrator. Implement an annual renewal process that requires each administrator to justify his or her continued need for elevated access. Allow those with administrative rights to participate in the on call rotation.
Encourage administrators to maintain different passwords for administrator accounts where clear differences in system type exist, such as on workstations and individual server types. Encourage this practice by requiring more frequent passwordexpiry and increased complexity rules for these elevated access accounts.
Accounts with elevated access must be used only when administrative activities are required. Normal web browsing and email usage should never be permitted from accounts that have elevated access. The damage that could occur is much greater than the convenience gained by allowing a system administrator to check their Twitter account.
Where feasible, require all administrative access to be achieved by elevating their access from a regular user account. Examples to facilitate this to create a Microsoft Management Console (MMC) that includes all tools needed for administration. Open this with a Run As command that uses the credentials of the elevated account. The Windows command prompt can also be run as another user by right clicking the icon and selecting the RunAs option.
Accurate and timely recording and distributing all activities performed by members of elevated access groups as found in system and security logs could help determine use and increase accountability. Configure an automated report that daily lists all administrative activities from the previous day to the entire team.
Look for default accounts on workstations and servers that can be removed or disabled. It is up to you to explain and justify every account on your system. The faster you can identify new accounts on the system, the better. The underling goal must be to do everything in your power to not allow untrained or unauthorized people to gain administrative access on your networks or systems.
Send automated alerts to any change or attempted change to any group whose membership grants elevated access. Daily alerts and reports of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire.
Use the log review solution to create automated alerts for any new account, any new administrator access and also for when any account is locked out. At a minimum you will be able to provide better customer service by knowing about accounts that need to be unlocked. Perhaps these same alerts can be used to serve as indications and warnings to an attack.
Splunk is an example of a log review and consolidation tool. This tool compiles all system, device and application logs into one place and provides a Google-like interface into these logs. Searches can be created, refined and scheduled to run at regular intervals. These can be configured to send an alert if the number of results from this automated search is greater than zero. This is alow cost way to get wisdom as cheaply as you can.