Budgetless CIS Top 20: Control 4: Controlled Use of Administrative Privileges (PAM)

Summary: The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative priveleges on computers, networks, and applications.

This control is important as an administrative user or user account with privileged or admin access could install malicious software either from an phished email or website or any other of several methods and could potentially pivot to other machines in the network that they have access to, either because they have permission to or because the admin accounts use the same password. If an admin account on a lesser machine gets hacked via a password cracker or keylogger, etc and is used on other machines, it can pass the hash throughout the network and spread to other systems.

As with most of these controls, for no budget, you won’t be able to reach all subcontrols 100%, but you can get alot of them.

First of all, Powershell is your friend. The first subcontrol is all about maintaining an inventory of administrative accounts, across the domain and local accounts. I recommend this Powershell script to get all the local admin accounts on domain computers. Then you can use Powershell to go through all your domain administrative accounts and ensure you are familiar with all of them being used and that they are still being used. (Example: Get-ADGroupMember -Identity “Domain Admins” -Recursive – repeat, replacing Domain Admins with Enterprise Admins, Exchange Admins, etc for all admin groups) Pipe all that to a CSV file for easier review.

Make sure you change all default passwords before you deploy new assets. I’m going to assume you’ve known that for years and would never do that. You should also use unique passwords for each assets. If you are like me, you found this challenging for local administrator accounts on desktops and laptops and each image version all had the same local admin password, right? Until LAPS came along. LAPS is SUPER easy to deploy (it literally took me all of 4 hours to deploy to my entire environment) and is free from Microsoft. Put in ‘deploy LAPS’ in YouTube and you’ll find several good videos, I found the first 3/4 of this one particularly useful to me.

Deploying Multi-factor authentication is another subcontrol here and unfortunately can’t be done for free. However, nowadays, you can do it pretty cheaply compared to 5 years ago. I recommend Duo and Watchguard as low-cost but very good solutions. (Duo is actually free if you have under 10 users, which is great for testing or if you have less than 10 admins, make sure at least they have MFA) There are also a couple open source MFA projects, LinOTP and Super Gluu you could try.

The last two subcontrols you can do budgetless are having a separate admin account for all your admin users, for example, username and username_admin where they are required to use the _admin accounts to login into any server, perform admin activities, etc and use a regular user account to log into their machine. You could also use a dedicated workstation segmented off the network and with no Internet access for all admin tasks. The dedicated machine can’t be used for email, composing documents, browse the Internet, etc. You can get close to this dedicated machine control by using virtual machines on VMWare Workstation for your admin tasks and having the virtual machine very locked down and on a different VLAN.

The last couple subcontrols are hard to meet 100% for free without tons of work. They are limit access to scripting tools, log and alert on changes to administrative group membership and log and alert on unsuccessful administrative account login. There are a couple scripts here and here that I’ve used to get failed login reports and you can monitor changes with GPO or AD here, but that is just putting an entry into a event log that you then need to monitor, maybe with the tools from CIS Control 1 we talked about but that’s still a lot to keep track of and monitor manually. It’s a lot easier if you can get a couple thousand dollars and buy something like Lepide or Netwrix to do this.

That’s it for this control, onto 5….