Least Privilege – It Does Make a Difference

Micro Focus has been talking about the dual principles of least privilege (limiting access to what is actually needed versus what is wanted) and separation of duties (for example, preventing one person from submitting an invoice and then paying it) for a long time. Of course, we also sell solutions which can detect and correct violations in both of them through discovery and by closing the loop by altering permissions.

Least privilege, limiting access to what is actually needed versus what is wanted, and separation of duties are important because they can help mitigate the threat if an outsider becomes an insider. How does an outsider become an insider? Without actually using the words, I talked about several ways that it can happen in this article.

As if to reinforce the importance of the principle of least privilege, a new report by Avecto states that 94% of critical Microsoft vulnerabilities are mitigated by removing admin rights from the user. They go on to state that if the insider doesn’t have admin privileges, then an outsider who becomes an insider de facto also doesn’t have them.

While you may be thinking endpoints – like PCs, I’m willing to bet that your company is using Windows Server to host some of your most sensitive information. Your admins might even be using Microsoft Office on your servers for tracking and writing reports, or firing up a browser to check out articles on something they might be seeing on the server.

Lock Down Your Admins

Micro Focus offers targeted solutions which help ensure that your administrators only need admin rights for the short period of time when they actively are managing your applications, servers, or even Microsoft Active Directory (AD).

Yes, you read that right! Micro Focus Directory Resource Administrator (DRA) can lock down AD, preventing rogue insiders or outsiders-as-insiders from running roughshod over your installation. DRA also can allow you to safely delegate permissions to your people managers, offloading IT so that they don’t need to deal with everyday tweaks to user policies.

And just as important as locking down AD access is preventing mistakes when a Group Policy is changed. Group Policies, or GP, allow organizations to manage various security and system configurations throughout the enterprise, and they can extend to Mac and Linux systems in addition to Windows.

Despite advancements since their introduction in Windows 2000, there still are not “model this to let me know if there are side effects” or “are you really sure you want to do this?” buttons.  One wrong GP change can render an enterprise environment unavailable, and can even lock out your admins so that they cannot correct the problem. The technical term is “to bork” and even Microsoft has borked GP by accident.

As you might have surmised, Micro Focus offers Group Policy Administrator (GPA) software to minimize the risk of editing group policies. GPA Allows you to model offline Group Policy changes to look for unintended side effects, gives you a warning before you make a permanent change, and establishes separation of duties between those who may work on Group Policies (create and edit) and those who have responsibility for change management (putting Group Policies into production).

Prove it!

Right about now, you’re thinking that you would like to see some proof of how Micro Focus can help you protect Active Directory.

Patterson Companies, Inc. is a market-leading dental and animal health company serving the United Kingdom and North America markets. They are supporting over 10,000 users in Active Directory with Office 360 and Exchange, and are planning for substantial growth in the Cloud.

Patterson needed to close operational gaps in their native Microsoft tools and ensure that they are ready for their cloud initiative. Directory Resource Administrator lets them customize user access based on job function to protect health care, financial, customer and employee information from improper access, whether local or Cloud. But better still, delegation allows common administrative tasks to be shared across the organization, freeing up the most skilled IT personnel to concentrate on planning and complex issues.

Are Those Chickens in the Henhouse?

Removing admin rights is the right thing to do to minimize vulnerabilities. But what if a user needs to be an administrator to do his or her job? What if you could allow admins to do their jobs without being admins, monitor what is being done, and shut down the session if company policy is violated?

Micro Focus Privileged Account Manager (PAM) is designed to do just this. It removes the need for admin access to systems, databases, applications, and the cloud – by vaulting credentials and allowing their use based on need. PAM also secures those credentials through multi-factor authentication, and can monitor and record every session. It also can manually or automatically terminate a rogue session based on the pre-defined level of risk to your organization.

Don’t be Late to the Party

What if you could remove 94% of critical Microsoft vulnerabilities almost instantly? What if you could do it without impacting management of your key applications, servers, and Microsoft Active Directory? How about offloading IT staff from mundane activities? How would your life change for the better if you contacted Micro Focus to learn more about our Security Management solutions today?

Ron LaPedis
Share this post:
Tweet about this on TwitterShare on FacebookShare on LinkedInGoogle+

Leave a Reply

Your email address will not be published. Required fields are marked *