Essential Eight Best Practice Guide: Restricting Administration Privileges

Introduction

Think of administrative privileges as the master keys to a building. In a computer system or network, having admin privileges is like having access to every door and room. Administrators can make significant changes, such as installing new software, altering system settings, and accessing all files and data. While this level of access is necessary for certain tasks, it’s easy to see how it could also pose a risk if it falls into the wrong hands – much like how a lost master key can put an entire building at risk.

To help organisations protect their digital ‘buildings’, the Australian Government has included restricting administration privileges as one of its Essential Eight cybersecurity strategies.

This means three things: One, making sure that only the necessary people have those ‘master keys’, two, each person’s ‘master key’ only opens the doors they need access to, and three, that each ‘master key’ is only used when necessary. This significantly reduces the risk of unauthorised access or changes to the system. The following sections will provide a more detailed look at how administrative privileges can be restricted in a small to medium-sized business context.

Why Restricting Administrative Privileges is Essential

Risks of Unrestricted Administrative Privileges

In the building analogy, unrestricted administrative privileges mean too many people have been given master keys, leading to considerable security risks. If a cybercriminal gains one of these administrator accounts, they can easily get full control of the business’ systems.

The attacker could install harmful software, manipulate system settings, access sensitive data, and even set up backdoors so they can continue to get in once the account has been recovered. It’s like letting a burglar roam freely inside your building, with access to every room and the ability to create new keys for themselves.

Benefits of Restricting Administrative Privileges

Now, imagine the building only has a few carefully managed master keys, and each key can only access the doors its owner needs to access. The risk of a master key falling into the wrong hands is now much lower, as is the impact of it being lost. This is the main benefit of restricting administrative privileges: reducing the risk of severe cyber incidents.

Restricting administrative privileges also makes it easier to monitor system changes. If only a few trusted individuals have the authority to make significant system modifications, it’s simpler to keep track of what changes have been made and why. Quickly identifying the source of a change can be crucial when responding to any potential security issues.

Best Practices for Implementing Restricted Administrative Privileges

Developing a Comprehensive Policy

The first step any business should take in this area is to establish a clear and comprehensive policy for administrative privileges. The policy doesn’t need to be overly onerous or long; it’s simply a document that sets out the guidelines that management wishes their teams to follow.

The administrative privileges policy should outline which roles are given admin privileges, when they should use them, and for what purposes. Think of this as the rules for who gets a master key and which doors they open. Clear guidelines help ensure that everyone understands and adheres to the policy.

Approval & Audit Trails

An important step to implement early is a robust approval process for new and changed administration access, which maintains an audit trail for future reference. This ensures that as activities are undertaken to restrict admin privileges, changes are not made through an operational process that undermines the improvements made.

It is crucial to establish a strong approval process for new and modified administrative access at an early stage, which includes maintaining an audit trail for future reference. This helps to ensure that while efforts are being made to restrict administrative privileges, any alterations made through operational processes do not undermine the progress achieved through the implementation work.

A privileged access approval process and accompanying audit trail are the first element required by the Essential Eight for all maturity levels.

Principle of Least Privilege

The ‘Principle of Least Privilege’ (PoLP) is fundamental in cybersecurity. Simply put, it means that individuals should only have the access necessary to perform their duties, nothing more. In terms of our building, it’s like only giving employees keys to the rooms they need to enter. This approach significantly reduces the number of ‘master keys’ in circulation and thus, the potential for security breaches.

Although the Principle of Least Privilege is widely recognized in the field of cybersecurity, the Essential Eight doesn’t mandate its implementation until the third level of maturity. This is due to the complexity and time-consuming nature of its implementation, but it offers a substantial level of security, even against persistent attackers.

Regular Review and Adjustment of Administrative Privileges

Just as buildings change over time with rooms being added or repurposed, so too do businesses and their systems. As such, it’s important to regularly review who has administrative privileges and adjust as necessary. Maybe an employee’s role has changed, or they’ve left the company. Regular reviews help ensure that only the appropriate individuals hold the ‘master keys’.

At maturity level two, the Essential Eight requires that administration privileges are automatically removed after twelve months unless its revalidated, and automatically removed after 45 days of inactivity.

Common Challenges and Solutions

Restricting administrative privileges is not without its challenges. However, these obstacles can be effectively managed with thoughtful planning and communication.

Identifying and Addressing Resistance to Change

In many organisations, change can be met with resistance, particularly when it involves altering the way people work. Restricting administrative privileges might be seen as a hurdle to efficiency or an unnecessary complication. It’s important to communicate clearly why these changes are happening and how they will protect the business and everyone’s work.

Handling the Administrative Requirements of Various Software and Applications

Different software and applications may have unique requirements for administrative privileges, making it challenging to implement a consistent policy. While it’s beyond the scope of this document to address specific software, the principle remains the same: limit privileges to only what’s necessary for each application. Working closely with software vendors can help you understand these requirements and implement appropriate restrictions.

Balancing Operational Efficiency with Security

While security is paramount, any successful business will also know the importance of operational efficiency. Overly restrictive policies can hinder productivity and cause frustration. Balance can be achieved by ensuring that employees have the access they need to do their jobs while maintaining the principle of least privilege. In other words, make sure all doors in the building can be accessed when needed, but only by those who should be entering them. Remember, to be truly efficient, a business must be wellsecured, or else it is at risk of the disruptions that cyber incidents can cause.

Taking the First Steps

Implementing the strategy of ‘Restrict Administrative Privileges’ may seem daunting, but taken step by step, it becomes a manageable process.

Steps to Assess Current Administrative Privilege Use

Before making any changes, you need to understand how administrative privileges are currently used in your organisation. It’s like doing an inventory of who has the master keys and what doors they’re opening. Begin by identifying who has administrative access, why they have it, and how often they use it. This will help you determine what changes need to be made and who will be most affected.

Building a Transition Plan

Based on your assessment, you can now start building a transition plan. This should detail what changes need to be made so that administrative privileges are properly restricted. Your transition plan is essentially a roadmap showing how to recall and redistribute the master keys.

Remember to consider the timing of these changes. If possible, try to align them with other system or role changes to minimise disruption. Also, consider a phased approach where changes are gradually implemented. This can make the transition easier to manage and less impactful on daily operations.

The transition plan should also include a communication strategy, as clear communication will help alleviate concerns and increase buy-in. Be sure to inform all employees about what’s happening, why it’s happening, and how it will affect them. Taking these first steps can put your organisation on the path towards a more secure future. The effort you invest now can prevent much larger issues down the line, protecting both your organisation and the people who make it what it is.

Essential Eight Restrict Administrative Privileges at a Glance

Maturity Level One:

Maturity level one requires privileged access to be validated when first requested, and for privileged accounts to be prevented from accessing the internet, email and web services.

It also requires a separation of privileged and unprivileged operating environments, with accounts from each type of environment being prevented from accessing the other type.

Maturity Level Two:

Maturity level two introduces requirements for administration access to be automatically disabled after 45 days of inactivity, and after 12 months if not revalidated. It also enforces that privileged operating environments are not virtualised within unprivileged ones.

Maturity level two also introduces the concept of administration activities taking place through jump servers, password policies specific to local administrator accounts and event logging for privileged access.

Maturity Level Three:

Maturity Level Three brings in two key concepts, which are the principle of least privilege, and just-in-time administration. It also requires Windows Defender Credential Guard and Windows Defender Remote Credential Guard to be enabled.

Finally, it requires that events are centrally logged, protected, monitored, and acted upon when any signs of compromise are detected.

Conclusion

We’ve likened administrative privileges to master keys to a building, and with good reason. Just as unrestricted access to a physical building can lead to security issues, so too can unrestricted administrative access in a digital environment. By restricting these privileges, you’re creating a more secure business, one less vulnerable to cyber threats.