Have you thought about the possibility that users with administrator permissions should be controlled? Well, it is not a possibility but a fact. Just as we must monitor “normal” users, we must also monitor administrators. They have multiple permissions, including access and manipulation of data sets, which generally contain sensitive information. This guide will show you what are the best practices so that you can have full visibility of these super users and protect yourself from potential “insider” attacks.
Users who have administrator permission have power. They have full access to all network resources and support for solving multiple network problems. Unfortunately, this user profile is not well regarded by many people within an organization. There is even a certain prejudice regarding people who work in the IT area in general.
It is normal to hear or read that they spy on collaborators, who at any time are going to install viruses on their computers or worse, think that any problems that may exist on the network occur because they intend to do so. How much mistrust can there be towards those who work in IT, including those who have administrator permissions? It is not impossible.
Today in this article we are going to propose some actions to have greater control over the users who have administrator permissions. The main objective of this is that they are in the hands of those who really need it. Also, this will help improve the reputation of these types of users in general. Next, we will highlight the most important ones.
Multi-Factor Authentication
This method of authentication is key for users to access the network with the resources and privileges they need. Likewise, it is an ally when managing access resources and privileges are complying with internal, local, national and international regulations. We should never neglect the legal aspect.
Administrator accounts such as Office 365 services do not require additional licenses or permissions. Therefore, in a small network, the existence of a single administrator user is not usually necessary, but the administrator roles can be assigned to multiple users, that is, to all those who correspond to that small organization. In sum, a further level of security can be added using Multi-Factor Authentication services such as the Microsoft or Google authenticator.
If you don’t already know it and would like to try the Google authenticator, you can access the shortcut below and try it as soon as possible:
However, if the security and compliance requirements require it, you can have a single administrator user. In turn, for greater protection, this authentication method can be implemented to guarantee the access of said administrator not only in one but in several devices.
Multi-Factor Authentication at Microsoft
If the network you manage is governed by Microsoft applications and services, you should know that the use of Multi-Factor Authentication is already mandatory for all accounts that come from the organizations that are its partners . Without a doubt, this is a point that you should consult when hiring the services of a company that proves to be a Microsoft partner.
On the other hand, the security settings of various roles in user accounts in Azure Active Directory have been updated and the new thing is that they must use this authentication method. However, this applies to the following Administrator roles:
- Global
- SharePoint
- Exchange
- Conditional access
- Of security
- HelpDesk
- Billing
- Of users
- Authentication
Therefore, Legacy- type authentications were blocked. That is, those that come from clients that do not use any modern authentication method, such as Office 2010 clients for backwards. Also, it involves those clients who use old protocols to communicate, such as email (SMTP, POP3 and IMAP).
Unfortunately, even though these Legacy authentications have the addition of Multi-Factor Authentication, these “outdated” clients are vulnerable to attack. From the moment the cybercriminal manages to violate any of the old protocols or Legacy applications, the addition of the Multi-Factor is no longer useful. It is as if it had not existed from the beginning.
Minimize the risk of sharing access
Any access with administrator permissions or global administrator permissions must be closely monitored. Therefore, its scope and capabilities must strictly conform to the scope that was originally defined. However, a certain administrator user should not have exaggerated limitations in relation to the resources they can consume. In addition to the information and processes to which you can have access.
A good practice for admin users is the use of Privileged Access Workstations . They provide an operating system dedicated to performing tasks with a high level of sensitivity. Consequently, it has a high level of protection against cyber attacks from the Internet and security threats in general. The advantage of using this type of workstation is that it allows efficient separation of highly critical and sensitive tasks from traditional devices.
On the other hand, it is highly recommended to limit the number of users with administrator permissions. The recommended quantity limit is 5 accounts , depending on the size and requirements of the network. Therefore, the possibility of creating accounts with sub-administrator permissions can be considered, which can be distributed by key areas in the organization. In this way, each sub-administrator user can have complete control only over what corresponds to their area.
Establish emergency accounts
Another recommended measure to apply is the creation of emergency accounts in the event that Azure services (Azure Active Directory) and / or Office 365 are used . These accounts do not have to have Multi-Factor Authentication configured. If something happens with the “official” accounts that do have this authentication method, then you can regain access to these services through that emergency account.
On the other hand, you can create an administrator account that does not have Multi-Factor Authentication and that is also excluded from any policy. The password you configure must be quite long. In order to monitor and have visibility of whether that account was used, we share through this link an excellent tutorial on YouTube that will demonstrate step by step how you should do it.
The video we have shared is in English, but we have seen it in its entirety and it is possible to opt for the automatic translation of the subtitles into Spanish if you need it. Likewise, this step-by-step is pretty straightforward and the main prerequisite is that you have an Azure Active Directory Premium account . If you do not have it, it is possible to access a free trial for 30 days and in this way, you will be able to test the monitoring of emergency accounts.
