Welcome!

Article

Security Hardening of Windows by Reducing Privileged Access

5 steps to ensure ongoing privileged access security

By Derek Melber, Technical Evangelist, ManageEngine

As I tour the world helping Active Directory administrators, auditors and security professionals secure their Windows environment, I often get questions about privileged access. The questions usually are about how privileges are granted and how an organization can know if its privileges are correct. These are great questions considering the onset of so many attacks on Windows in the past five to seven years. It is important to see that privileged access is usually at the core of these attacks.

There are many ways to grant privileges in a Windows environment. Granting privileges is rather easy. Reporting and analyzing the current privileged access, however, can be a bit harder. There is no centralized location that shows an administrator or auditor the current privileged access. Understanding the different technologies and features that grant privileged access is the first step. Then, for each area where privileges can be granted, there are five steps that should be taken to ensure ongoing privileged access security.

Those steps include:

  • Reporting on the current settings
  • Analyzing the settings to understand who has privileged access
  • Configuring the correct privileged access
  • Monitoring for changes to privileged access
  • Alerting, in real time, for key privileged access changes

 

The technologies and features in a Windows environment that grant privileged access include:

  • Group membership
  • User rights
  • Access control lists or permissions
  • Delegation

Group Membership

Depending on how the group is configured in the environment, it can have the highest level of privileges or just a few privileges. For example, the Domain Admins group has nearly the highest level of privileges in the entire Active Directory domain. Just adding a user to this group grants this level of privilege. However, the most complex concept with reporting on groups is to get the recursive group members, i.e., the users who are located in nested groups of the main group and who need to be reported as well.

There are plenty of reporting tools that can get group membership recursively, though. PowerShell by Microsoft and ADManager Plus by ManageEngine are two options.

User Rights

User rights control global access over different aspects of a domain controller, server or workstation. User rights are configured using Group Policy, giving granular control of each computer individually. Therefore, each computer could have a unique set of user rights, making the reporting and configuration of these settings difficult and time consuming.

Every Windows computer comes with a built-in tool, secpol.msc, which can report the current user rights on each computer. The tool must be run locally, but it is extremely powerful and gives precise configurations. Since each user right provides some level of privilege over the computer, each and every user right should be evaluated and configured to meet the minimum requirements for server access.

Access Control Lists

Controlling access to files and folders is essential for assuring the security of data within any organization. You need to properly configure the access control lists for your key data and ensure that they only provide access to the appropriate people. The wrong privileges granted to a file or folder could severely hurt, or even destroy, a company.

Reporting on who has access to a file or folder is a monumental task, due to the volume of files and folders on a typical network. Therefore, selection of the most important data must occur, and then those selected files and folders can be the focus of the security hardening. There are many tools that can help report on data access control lists, but if you do not want to purchase a tool, you can always use the built-in xcacls.exe tool, which comes with all Windows computers.

Delegation

The concept of delegation falls under the category of access control lists, but it is a specific term used for Active Directory and Group Policy management. Due to the complexity of Active Directory delegation, the configuration of the delegation is typically done through the Delegate Control Wizard. This wizard is located on the drop-down menu for the domain node for each Organizational Unit in the Active Directory Users and Computers tool. The wizard defines which account (user or group) is granted a specific task. The most common tasks are resetting passwords for users and modifying group membership, both of which have a potential impressive security impact if the wrong account is granted the delegation.

The Delegate Control Wizard can only configure the delegations-it can't report or remove delegations. Therefore, a different tool must be used for each task. The built-in dsacls.exe tool is ideal for reporting on delegations for each Active Directory node. As for modifications to existing delegations, that is typically left up to manual efforts performed on the Security tab located on the object's Property page.

Summary

Assuring that privileged access is understood, configured properly and monitored is a huge step toward hardening the security of your Windows environment. Without the correct reports, configurations or monitoring, it is impossible to know what privileges are granted. Beyond that, without the knowledge of privileged access, you are leaving your organization open for an easy attack. However, with the correct tools in place to monitor and alert on changes to correct privileged access, there is little that can sneak by you if an attack occurs.

Derek Melber is the technical evangelist for ManageEngine, a division of Zoho Corporation. As one of only a handful of Microsoft Group Policy MVPs, Derek helps Active Directory administrators, auditors and security professionals understand the finer points of how to manage, audit, recover and solve issues that occur in Active Directory and Group Policy. He educates IT professionals worldwide on Active Directory, Group Policy and Security and has authored over 15 books on Windows security and management. He's famous for his video shorts in which he offers quick, practical solutions for Active Directory management.

More Stories By ManageEngine IT Matters

ManageEngine believes IT management can be simple and affordable. Our authors share insights and how-to tips for SMBs and large enterprises. Over 120,000 companies around the world – including three of every five Fortune 500 companies – trust our products to manage their networks, data centers, business applications, and IT services, and security. We take a straightforward, customer-centric approach to IT management software. Our customers' needs drive our product philosophy. And we've built a strong, in-house R&D team to support our product team and turn customer requests into product realities. We look forward to hearing from you.

Latest Stories
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments i...
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
SYS-CON Events announced today that TMC has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo and Big Data at Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Global buyers rely on TMC’s content-driven marketplaces to make purchase decisions and navigate markets. Learn how we can help you reach your marketing goals.
Managing mission-critical SAP systems and landscapes has never been easy. Add public cloud with its myriad of powerful cloud native services and this may not change any time soon. Public cloud offers exciting new possibilities for enterprise workloads. But to make use of these possibilities and capabilities, IT teams need to re-think everything they have done before. Otherwise, they will just end up using public cloud as a hosting platform for their workloads, aka known as “lift and shift.”
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
SYS-CON Events announced today that TechTarget has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets.
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara California. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infras...
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...