The Principle of Least Privilege

One of the most important concepts in cybersecurity is the principle of least privilege. It states that users should only have access to the resources and information that are necessary for them to perform their function.

By limiting access, we reduce the potential damage that can be caused by an attack.

For example, someone in operations may not need access to the sensitive financial data being managed by accounting.

Restricting their access to this information helps to minimize the risk of unauthorized disclosure or manipulation. Furthermore, by restricting the employee’s access to a given application, we make it more difficult for an attacker to use that access in other ways.

What Are Privileges?

In the field of information security, privilege is often defined as the authority a given account or process has within an IT environment. For example, local administrative privilege on a workstation endows the user with the power to disable or bypass many security restraints. Such a user will have permissions to perform such actions as shutting down systems, installing drivers, configuring hardware, provisioning other accounts, and disabling security protocols.

Privileges are critical to IT operations and serve an important purpose when used correctly.

The ability to create privileges allows IT professionals to assign users, applications, and other system processes various levels of rights to access resources.

The capability to denote privileges for user accounts and operational processes is built into operating systems, file systems, databases, hypervisors, cloud management platforms, and many enterprise software applications. Global or granular privileges can also be configured by system or network administrator in other instances.

Depending on the IT landscape, some privilege assignments may be based on attributes that are role-based. For instance, members of different departments may have different levels of access because their accounts are assigned to different role groups. These decisions are typically based on what level of access is needed to complete their everyday tasks.

What Are Privileged Accounts?

Privileged accounts include any account that provides access beyond those of non-privileged or “standard” user accounts. Any user with privileged access, typically gained by ownership of a privileged account, is known as a privileged user.

One simple example is that of an email administrator. If we think about how organizations manage email, most users are going to be regular, non-privileged users. Their roles require them to be able to send and receive emails, but not add new email users or delete existing ones. In contrast, the organization will also have at least one email administrator account, which is needed to manage email across the organization. This account will have access to the back end of the email software, providing them access to be able to add, delete, or modify users; change or reset email passwords; etc.

While it might be convenient for small business owners to give employees access to various admin accounts, this behavior also presents a serious security risk.

Example: Local Administrator

When it comes to privilege management, small businesses need to be particularly careful of who has administrator privileges. There are different types of administrators, and we’ll see some examples in this article. But let’s take a quick look at local administrator accounts, which are accounts with administrative access to a specific machine (computer). Common examples are the default ‘Administrator‘ account on Windows computers, or the ‘root‘ account on Linux devices.

User accounts with local admin rights possess virtually unlimited access to do anything they want on their device(s). When a user has admin access, they can download and install applications, use any program, change system configurations, and even modify or revoke other administrative accounts. Such power nullifies much of the protection offered by perimeter cyber defense.

A user with local admin rights can easily bypass or remove measures like firewall and antivirus and install malware, steal data, or conduct other malicious actions. In short, admin privilege gives a user –or a compromised user –the metaphorical “keys to the castle” on that system. As a result, local admin accounts are highly targeted by attackers.

In Windows networks that use Microsoft Active Directory, local administrator accounts are additionally coveted by attackers because they can be further used to deploy a wide range of attacks across the entire network. For example, an attacker can use just one local admin account to fully enumerate the entire Active Directory domain and identify common misconfigurations that can be exploited to further their goals.

So we can see why these accounts are so important to protect – and also, why they are regarded as being extremely valuable to attackers.

Implementing the Principle of Least Privilege

Implementing the principle of least privilege involves carefully defining and assigning roles within an organization. We need to think about (specifically) what each user, or role, requires to do their job.

For example, users in finance require access to a specific set of software as well as the systems they need for their job. The software and systems used by people in accounting are probably different from the software and systems used by people in sales.

We want to make sure that the people in accounting are given access to everything they need, but nothing that they don’t.

The easiest way to do this is to create two groups: (1) accounting, and (2) sales. We can then manage group memberships and group permissions, which will apply to all members of the group.

User and Administrator Accounts

There are often two types of accounts (at least), user and administrator:

  1. User accounts have access to use a given application or computer. Think of an email user, who has access to an email application that allows them to send and receive email.
  2. Administrator accounts have privileged access that allows them to manage the application or computer. Think of the email app administrator, whose job it is to add and remove people from the system, help regain access or change a password, etc.

In the example above, both the accounting and sales teams most likely use specialized software. Most users will only be granted access using a user account, not an administrator account. It is possible that the manager or senior personnel are granted administrator access. However it is best practice that admin access be granted to IT personnel only.

Keep in mind that there are permissions for things like 1) computers, 2) applications, 3) servers / services, and 4) the domain (in an Active Directory environment).

Once we carefully define each role in the company and identified the services that every employee needs to do their job:

  1. Each user should be granted the minimum level of access rights and permissions needed to carry out their tasks. This includes user accounts in applications.
  2. Roles requiring administrator access to an application, computer, or domain, should have a separate account for each individual administrator role.
  3. The admin structure should be tiered as much as possible (while only using accounts that make sense for the organization). For example, computer admins shouldn’t also be domain admins.
  4. Admin accounts are the most precious. Always use strong passwords with them and never reuse. It used to be common for IT admins to have the same username and password on every computer in an organization. If this is the case and an attacker gains control over one machine, they may very easily get control over the entire organization.

Depending on the size of the business, this can get a little complicated. But for many small businesses, it can be fast and simple to audit and make changes where needed.

Types of Accounts

When it comes to the principle of least privilege, we want to be thinking in terms of:

  • Computer / host / local accounts
  • Group membership / organizational units (OUs) in Active Directory
  • Domain accounts (for Active Directory domains)
  • Application accounts (for example, email)
  • Administrative accounts
  • Application administrators
  • Local administrators
  • Domain administrators

We need to determine who needs access to what, and then give them permissions as needed.

Every business is different and has unique requirements, but keep in mind that the permissions of every user should correspond with their need to either use or administer a specific technology.

Administrative accounts are the most important. Only designated people should have access to administrative accounts. At larger companies, only IT people are administrators.

A Practical Example

At small companies, roles often get divided and people need to wear multiple hats. You might have a non-IT employee, for example, be the email administrator.

The key is that the role of email administrator is unique. You need to create a user (let’s call it ’emailadmin’) whose only role is to perform the administrative duties for email. This includes adding and deleting accounts, making other changes, etc.

This account should only be logged into for the express purpose of administering email. When the task is complete, the account is logged off of. The email administrator doesn’t unnecessarily stay logged in (as administrator); they go back to using a standard account until they need administrative access again.

This process should be used for all critical services (such as databases, web servers, etc). Note again, administrative activities are different than normal user activities. A regular user should have the ability to log into their email and any other services they need to access. And most admin users will also have regular user accounts that they use for their daily activities.

Group Memberships are Key

Groups are a great way to administer larger numbers of people.

We have to make sure that our groups are set up with minimal permissions, and that only users who need to be in those groups, are.

Remote Connections

Of particular concern are users who are allowed to engage in remote connections.

On Windows, the Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) are the most common ways for doing so.

These services typically correspond with membership in the groups ‘Remote Desktop Users’ for RDP and ‘Remote Management Users’ for WinRM.

Make sure that users with membership to either of these two groups actually require it.

Administrator Accounts, Revisited

We’ve already seen that administrative accounts and permissions are the most important to control. They hold the keys to our kingdom. Here are some important points to keep in mind:

  • Use different administrators for different things. The administrator for the database server shouldn’t also be the admin for the web server. We can group administrators into three types:
    • Application administrators (only administers an application).
    • Local administrators (the admin on each specific computer).
    • Domain administrators (in AD environments – has authority over the entire domain).
  • Only use the level of administrative access required to accomplish each specific task. Don’t use a domain administrator account when a machine or application administrator account can handle the task.
  • Don’t stay logged in as an admin. Use the account to complete the task it is needed for, and then log out and restart the machine.
  • Restarting after the task is complete clears the administrator’s credentials from Windows memory. The hashed password will stay in memory until the computer is restarted.
  • Administrators should be the only accounts allowed to install new programs or run scripts.

The domain administrator accounts are the most prized by hackers. This allows them to control the domain controller, and therefore the entire domain.

Key Takeaways

  • The principle of least privilege means that users only get access to what they need to do their job. This dramatically minimizes risk across the company.
  • There are users and administrators. They have different functions.
  • A user is allowed to use specific resources, like a specific computer and the applications they need to access to do their job.
  • An administrator is a privileged account used to manage a computer, an application, a service, etc.
  • There are different types of users. Group membership is a great way to establish permissions across groups of users. In Active Directory Environments, we can organizational units (OUs).
  • Make sure that users are only members of groups that they require for their job.
  • Make sure that groups only have the permissions needed for members to do their job.
  • There are different types of administrators. Keep these roles separate. Only use the level of access required to accomplish the task.
  • Application administrators (only administers an application).
  • Local administrators (the admin on each specific computer).
  • Domain administrators (in AD environments – has authority over the entire domain).