ajbrehm
New Member
- Joined
- Mar 2, 2024
- Messages
- 1
- Thread Author
- #1
I have been struggling with this for some time...
At our company, like I assume at every enterprise, management believe that we (they) have implemented "least privilege principle", i.e. every software and every user has only those rights and privileges that are really needed for the task to be performed.
This is rather untrue though.
A lot of users are administrators on various servers because
a) "My application requires me to be an admin to use it"
b) "I have tested it with admin rights, do you want me to redo all the tests for 12 months?"
c) "We have always done it like this"
And a lot of applications (services, scheduled tasks etc.) run with admin rights because
a) "My application requires to be run as admin, vendor says so"
b) "I have tested it with admin rights, as has the vendor"
c) "We have always done it like this"
Users are to blame, admins are to blame, vendors are very much to blame (since they sell software that blatantly ignores enterprise rules and refuse to do anything after the sale), management is to blame (approve buying software that violates their own rules) and even MSFT is to blame (a lot of Microsoft software requires admin rights for tasks that have nothing do with system administration or even application administration).
What we did to attack this issue has been, apart from discussing this with uninterested vendor (one threatened me for my attempt to find out why their service failed without having certain write permissions which it teachnically shouldn't have needed) was this:
a) run procmon to find out where there are ACCESS DENIED results (and modify those ACLs)
b) create JEA configurations for programs that "need" to run with admin rights (for no particular reason, because they are not formatting disks etc.)
c) have a service that makes a user an administrator, lets him start a specific program matching a hash, watch his other activities, and wrap the program in a job object with a process limit of 1 to stop him escaping (this is used for IIS Manager, for example)
d) give admin rights temporarily for certain tasks (used for Remote Desktop Licence Manager)
Apart from running everything in containers (or replacing management with one that stops buying software that violates its rules), what can we do?
Any ideas? How do others deal with this?
(I know there are commercial solutions. I am looking at Beyond Trust Privilege Management at the moment. But that merely makes more things run with admin rights rather than with least privileges.)
At our company, like I assume at every enterprise, management believe that we (they) have implemented "least privilege principle", i.e. every software and every user has only those rights and privileges that are really needed for the task to be performed.
This is rather untrue though.
A lot of users are administrators on various servers because
a) "My application requires me to be an admin to use it"
b) "I have tested it with admin rights, do you want me to redo all the tests for 12 months?"
c) "We have always done it like this"
And a lot of applications (services, scheduled tasks etc.) run with admin rights because
a) "My application requires to be run as admin, vendor says so"
b) "I have tested it with admin rights, as has the vendor"
c) "We have always done it like this"
Users are to blame, admins are to blame, vendors are very much to blame (since they sell software that blatantly ignores enterprise rules and refuse to do anything after the sale), management is to blame (approve buying software that violates their own rules) and even MSFT is to blame (a lot of Microsoft software requires admin rights for tasks that have nothing do with system administration or even application administration).
What we did to attack this issue has been, apart from discussing this with uninterested vendor (one threatened me for my attempt to find out why their service failed without having certain write permissions which it teachnically shouldn't have needed) was this:
a) run procmon to find out where there are ACCESS DENIED results (and modify those ACLs)
b) create JEA configurations for programs that "need" to run with admin rights (for no particular reason, because they are not formatting disks etc.)
c) have a service that makes a user an administrator, lets him start a specific program matching a hash, watch his other activities, and wrap the program in a job object with a process limit of 1 to stop him escaping (this is used for IIS Manager, for example)
d) give admin rights temporarily for certain tasks (used for Remote Desktop Licence Manager)
Apart from running everything in containers (or replacing management with one that stops buying software that violates its rules), what can we do?
Any ideas? How do others deal with this?
(I know there are commercial solutions. I am looking at Beyond Trust Privilege Management at the moment. But that merely makes more things run with admin rights rather than with least privileges.)
