Super user?

Calum Macleod, European director of Cyber-Ark looks at the do's and don'ts of dealing with privileged user accounts

I never used to have to look for the telephone - it was always in the hall. But now we have this wonderful DECT system in the house with telephones in the key locations, such as my daughter's bedroom, usually under an Everest-like mountain of clothes.

No matter how often we've agreed that the person who last used the phone should put it back in its rightful place, it still seems that every time it rings the hunt is on.

Personally I think that the policy of returning the telephone to its rightful place is a good policy, my problem is enforcement, and I haven't got the time to monitor personally 24x7.

One of the biggest issues facing organizations is the elimination of bad practices related to the use and abuse of privileged accounts. Organizations frequently suffer from unrealistic policies that are being bypassed, usually because of a lack of resources, or having no policies with the result that there is no control.

It is therefore worth while considering some of the most common problems, and suggesting ways in which these can be improved.

User accounts have super user or administrative rights.
In general an organization should never allow any user account to have privileged access. In many organizations IT staff will create user accounts with administrative rights. This is frequently the case with UNIX systems where the root account is normally not accessible remote from the system.

The problem with this approach is that the actual user will frequently tend to use their specific user account for general access. This will result in serious problems when audits are conducted since IT security are faced with the problem of trying to decipher which log-ins were simply for general access, and which were for specific administrative tasks. In certain environments this practice can also expose the system to Trojan horse attacks, particularly in the Windows environment.

Recommendation. 
Since it will always be necessary to have shared accounts for services such as access to UNIX environments, and in some case Windows environments, the password for the shared accounts should be kept in a secure location, and the number of user accounts with privileged access must be kept to a minimum and passwords for these accounts must be changed on a regular basis.

Additionally access to the password for the shared account and the administrative/root/service passwords should be only available based on a 'need to have' basis which must be in the policy. By default every access to any of these passwords must have an audit trail.

Every shared account must have an account owner(s) who is responsible for controlling access to the account. This should allow for contingency procedures where any member of the responsible group can be authorized to release the password.

All systems share the same privileged passwords. 
This all too common practice means that systems are grouped according to categories, and all systems will share the same privileged passwords. This is a common practice in Windows environments where frequently all service accounts will share the same password, with the obvious result that having got the password for one service account, all accounts are now accessible.

Recommendation. 
Every privileged account must have its own unique password and should be configured to change at least every 30 days

Service accounts are not secured. 
A service account such as the account to manage an Active Directory will be used regularly but represents a serious security risk for an organization. Frequently administrators will use their privileges to set up service accounts, and when staff leaves an organization these accounts are overlooked.

Although service accounts can serve a useful purpose in ensuring that a specific user is only allowed the privileges necessary to do their function, these accounts must still either be assigned to specific users (if possible), resulting in considerable additional IT security administration, or must be shared among a group of privileged users.

Recommendation. 
Service account passwords should be kept securely and be changed very frequently.

Accounts have Non-Expiring Passwords. 
This situation is found commonly in two scenarios; either administrative or service accounts are set to non-expiry, or embedded accounts which are coded in scripts, especially database applications have non-expiring passwords.

In both cases these accounts represent a major security flaw since they are vulnerable to password cracking tools since the password never expires, and in the case of embedded accounts all personnel involved in the development and maintenance life cycle have knowledge of the account detail. Using embedded accounts is a relatively easy way for someone to access sensitive data without being traced.

Recommendation. 
All non-expiring accounts should be modified so that they change the passwords on a regular basis. Additionally since these accounts provide privileged access, no single individual should be allowed to change the passwords manually.

Policies are not applied to users universally. 
It is not uncommon to see organizations apply different standards to different staff. For example, managers have root access to all servers, and developers, and testers have root access to all development servers. It is imperative that organizations apply a consist policy for all staff, regardless of function or position.

Recommendation. 
The use of any privileged account must have the accompanying audit trail. Consideration should be given to differing policies for development and production systems.

For example, privileged access to a production system should only be possible with dual control, whereas a development system password may be accessible, within certain environments, without the need for dual control. Both production and development systems should be changed on a regular basis

Policies are not applied to groups universally. 
Frequently organizations will not have a consistent procedure between different groups. This results in various departments (Databases, UNIX, Windows, Mainframe, Networking, etc) working as independent entities without a consistent security policy.

Recommendation.
All groups, regardless of responsibility or location should adhere to a common policy. This implies that policies related to how passwords are released, and the frequency of change should apply across the board.

Guest IDs are set up with privileged access are not deactivated. 
This happens because many organizations depend on outsource or contract staff, or will frequently have technical support from vendors, requiring privileged access to specific systems. In fact there should not be a reason to define a guest privileged account.

Recommendation. 
External staff should never have privileged access to a system using a guest account. Access should use the default account, and the passwords should be immediately reset on completion of the task

Administrators access directly with privileged account. 
For practical reasons it is never possible to completely isolate direct access to systems. Frequently privileged users will be required to access a system from the system console, and in this case the user can always use the root or admin accounts if they access to the password.

Recommendation. 
The password must only be released under strict controls, and the policy must ensure that the password is directly changed after each use.

Emergency envelope (Firecall) accounts. 
These accounts are designed for use in specific emergency situations. In many cases the procedure is a manual procedure that requires that a password is placed in an envelope, and based on a security policy, access to the envelope is controlled.

Recommendation. 
Each use of this procedure should require that a designated member of each team is responsible to report each use to IT security, and the password should be changed within a minimum time period after the user has finished the necessary task.

If possible those responsible for releasing the passwords should not be able to know the password. A daily audit report should be carried out to report use of any Firecall accounts. Multiple IT security staff should be designated as having approval rights to authorize use, with a best practice of dual control.

Best Practice is Vital

In order to ensure that an organization protects its interests, it must ensure that clear policies and standards are in place to manage and control who has administrative access.

Ultimately the most effective approach is to ensure that the number of privileged accounts on systems is kept to an absolute minimum. This will significantly ease the administrative burden for the organization, and with effective password management access is controlled at the entrance.

The more effective the controls at the entrance, the less one has to worry about having distributed controls. Practice has shown that once the number of individuals who may access a system exceeds three, it becomes exponentially difficult to mange the process

The more user accounts that are defined with privileged access the closer the auditors are going to look at the policies, and especially the adherence to the policies.

Other areas to consider are ensuring that users are only given access if all the conditions are correct, such as are they on duty, are in they in an appropriate location  (releasing privileged passwords to the user in the internet café with VPN access is not appropriate policy no matter how urgent the situation).

Changing passwords regularly is a necessity, and not repeating passwords within certain time periods is a must. Also it becomes critical to maintain old passwords in a secure location since you never know when a particular system needs to be recovered.

It is important to understand that an organization should allocate privileges on a restricted basis, such as on an event basis, or a need to use basis, and that a detailed record is kept regarding what privileges have been given to whom, when, for what purpose, where were they when this was given, and who approved this request - for every single event. And of major importance ensuring that all authorization processes are completed, in the correct sequence before privileged access is allowed.

There are countless situations regarding the use of privileged accounts, and there are many technical solutions created to try and protect the privileged systems and applications to ensure that they are not vulnerable, but ultimately it is impossible to ensure that an infrastructure can be built that is 100 per cent secure.

It is therefore imperative that the strictest controls possible are applied to providing access to the passwords that are the keys that are needed to open each and every privileged account.

The challenge that has to be answered is how to ensure that requirements are enforced. In my opinion the only way to deal with this is with an effective password management technology, which enables the most repetitive processes to be automated, and allows IT security departments to enforce their policies. And as far as the telephone goes I'm thinking a piece of string and super-glue might be the answer.

www.cyber-Ark.com

May 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.