Originally Posted on Microsoft Security Blog
In my role, I often meet with CISOs and security architects who are updating their security strategy to meet the challenges of continuously evolving attacker techniques and cloud platforms. A frequent topic is prioritizing security for their highest value assets, both the assets that have the most business value today as well as the initiatives that the organization is banking on for the future. This typically includes intellectual property, customer data, key new digital initiatives, and other data that, if leaked, would do the greatest reputational and financial damage. Once we’ve identified the highest value assets, it inevitably leads to a conversation about all the privileged accounts that have administrative rights over these assets. Most of our customers recognize that you can no longer protect the enterprise just by securing the network edge; the cloud and mobile devices have permanently changed that. Identities represent the critically important new security perimeter in a dual perimeter strategy while legacy architectures are slowly phased out.
Regardless of perimeter and architecture, there are few things more important to a secure posture than protecting admins. This is because a compromised admin account would cause a much greater impact on the organization than a compromised non-privileged user account.
If you are working on initiatives to secure your privileged accounts (and I hope you are ), this post is designed to help. I’ve shared some of the principles and tools that Microsoft has used to guide and enhance our own security posture, including some prescriptive roadmaps to help you plan your own initiatives.
Protect the privileged access lifecycle
Once you start cataloging all the high-value assets and who can impact them, it quickly becomes clear that we aren’t just talking about traditional IT admins when we talk about privileged accounts. There are people who manage social media accounts rich with customer data, cloud services admins, and those that manage directories or financial data. All of these user accounts need to be secured (though most organizations start with IT admins first and then progress to others, prioritized based on risk or the ability to secure the account quickly).
Protecting the privileged access lifecycle is also more than just vaulting the credentials. Organizations need to take a complete and thoughtful approach to isolate the organization’s systems from risks. It requires changes to:
- Processes, habits, administrative practices, and knowledge management.
- Technical components such as host defenses, account protections, and identity management.
Principles of securing privileged access
Securing all aspects of the privileged lifecycle really comes down to the following principles:
- Strengthen authentication:
- Move beyond relying solely on passwords that are too often weak, or easily guessed and move to a password-less, Multi-Factor Authentication (MFA) solution that uses at least two forms of authentication, such as a PIN, biometrics, and/or a code generated by a device.
- Make sure you detect and remediate leaked credentials.
- Reduce the attack surface:
- Remove legacy/insecure protocols.
- Remove duplicate/weak passwords.
- Reduce dependencies.
- Increase monitoring and detection.
- Automate threat response.
- Ensure usability for administrators.
To illustrate the importance we place on privileged access controls, I’ve included a diagram that shows how Microsoft protects itself. You’ll see we have instituted traditional defenses for securing the network, as well as made extensive investments into development security, continuous monitoring, and processes to ensure we are looking at our systems with an attacker’s eye. You can also see how we place a very high priority on security for privileged users, with extensive training, rigorous processes, separate workstations, as well as strong authentication.
Prioritize quick, high-value changes first using our roadmap
To help our customers get the most protection for their investment of time/resources, we have created prescriptive roadmaps to kickstart your planning. These will help you plan out your initiatives in phases, so you can knock out quick wins first and then incrementally increase your security over time.
Check out the Azure Active Directory (Azure AD) roadmap to plan out protections for the administration of this critical system. We also have an on-premises roadmap focused on Active Directory admins, which I’ve included below. Since many organizations run hybrid networks, we will soon merge these two roadmaps.
On-premises privileged identity roadmap
There are three stages to secure privileged access for an on-premises AD.
Stage 1 (30 days)
Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse.
1. Separate accounts: This is the first step to mitigate the risk of an internet attack (phishing attacks, web browsing) from impacting administrative privileges.
2 and 3. Unique passwords for workstations and servers: This is a critical containment step to protect against adversaries stealing and re-using password hashes for local admin accounts to gain access to other computers.
4. Privileged access workstations (PAW) stage 1: This reduces internet risks by ensuring that the workstations admins use every day are protected at a very high level.
5. Identity attack detection: Ensures that security operations have visibility into well-known attack techniques on admins.
Stage 2 (90 days)
These capabilities build on the mitigations from the 30-day plan and provide a broader spectrum of mitigations, including increased visibility and control of administrative rights.
1. Require Windows Hello for business: Replace hard-to-remember and easy-to-hack passwords with strong, easy-to-use authentication for your admins.
2. PAW stage 2: Requiring separate admin workstations significantly increases the security of the accounts your admins use to do their work. This makes it extremely difficult for adversaries to get access to your admins and is modeled on the systems we use to protect Azure and other sensitive systems at Microsoft (described earlier).
3. Just in time privileges: Lowers the exposure of privileges and increases visibility into privilege use by providing them to admins as they need it. This same principle is applied rigorously to admins of our cloud.
4. Enable credential guard on Windows 10 workstations: This isolates secrets for legacy authentication protocols like Kerberos and NTLM on all Windows 10 user workstations to make it more difficult for attackers to operate there and reach the admins.
5. Leaked credentials 1: This enables you to detect a risk of a leaked password by synchronizing password hashes to Azure AD where it can compare them to known leaked credentials.
6. Lateral movement vulnerability detection: Discover which sensitive accounts in your network are exposed because of their connection to non-sensitive accounts, groups, and machines.
Stage 3: Proactively secure posture
These capabilities build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strongest protections against privilege attacks currently known and available today.
1. Review role-based access control: Protect identity and management systems using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise.
2. PAW stage 3: Expands your protection by separating internet risks (phishing attacks, web browsing) from all administrative privileges, not just AD admins.
3. Lowers the attack surface of domain and domain controller: This hardens these sensitive assets to make it difficult for attackers to compromise them with classic attacks like unpatched vulnerabilities and exploiting configuration weaknesses.
4. Leaked credentials 2: This steps up the protection of admin accounts against leaked credentials by forcing a reset of passwords using conditional access and self-service password reset (versus requiring someone to review the leaked credentials reports and manually take action).
Securing your administrative accounts will reduce your risk significantly. Stay tuned for the hybrid roadmap, which will be completed in early 2019.