Protecting Privileged Federal Users
End users represent the weakest link in the security chain, but nefarious actors increasingly target IT staff as well.
Social networking sites such as LinkedIn can provide hackers an entry point into government networks. Hackers use such sites to steal personal information that could later grant privileged access.
IT staff often have access to privileged credentials, as well as a broader range of access to servers and databases than other employees. IT managers must ensure the devices and accounts they use to access those resources are adequately protected.
Here are some ways IT managers can help staff protect themselves.
Issue Standard User Accounts
Resist the temptation to give help desk staff administrative access across the board to expedite the resolution of support incidents. This approach weakens overall security and allows for changes to systemwide configuration settings that can cause performance issues and usability problems.
Third-Party Success
The challenges involved in removing users’ administrative rights, such as providing access to install software updates, generally don’t apply to IT staff. Nevertheless, IT managers will need to find a way to grant administra tive access when needed. A third-party privilege management solution is the preferred solution. It typically provides a seamless user experience and the highest level of security.
Domain Restriction
Only domain controllers should have domain administrator accounts, but this basic security best practice routinely gets flouted. IT managers must consider an entire network endangered once administrator accounts are hacked.
For enterprises with Windows Server 2012 R2 domain controllers, adding domain administration accounts to the Active Directory Protected Users group can improve security.
Endpoint Awareness
One of the best ways to secure privileged accounts is to constrain endpoints, restricting them to a limited set of commands that provide granular control over sensitive systems.
PowerShell provides this functionality and is an excellent way to administer systems. This tool also provides the most secure way to administer devices.
Think Configuration
Some simple tweaks to system configuration can provide additional security.
The new Microsoft Just Enough Administration toolkit for PowerShell 5.0 makes it easier to configure systems.
The toolkit also implements a local administrator account with a randomly generated password. Users do not need to know that password, which resets daily. JEA uses a unique local admin account on each server, reducing the risk of multiple server hacks.