7 Replies Latest reply on Oct 6, 2017 10:26 AM by d09h

Priviledge Accounts Best Practices

s-bolyard Oct 5, 2017 11:23 AM

My boss thinks it's a great idea to give all of our Network and Server support staff administrator privileges. I'm trying to change his mind and I'm trying to find a "Best Practices" document that would help me justify why that's a bad idea. Or maybe you can persuade me why it is a good idea. My view is that the more admins you have the increase in mistakes and may cause lengthier downtime. Does anyone know if there's a document that goes over it?

Re: Priviledge Accounts Best Practices

d09h Oct 5, 2017 1:44 PM (in response to s-bolyard)

Surely there are many. Here's one: https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege
1 of 1 people found this helpful
Like Show 1 Likes(1)

Actions
Re: Priviledge Accounts Best Practices

d09h Oct 5, 2017 12:28 PM (in response to s-bolyard)

If I were you I would document your conversation with him. Save the email. Might need an "I told you so" or perhaps an "I told him so". For CYA. Also, based on information from your profile, he might find the HIPAA rules pertinent: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

STANDARD § 164.312(a)(1) Access Control

The Security Rule defines access in § 164.304 as “the ability or the means necessary to read,
write, modify, or communicate data/information or otherwise use any system resource. (This
definition applies to “access” as used in this subpart, not as used in subpart E of this part [the
HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access
and perform functions using information systems, applications, programs, or files. Access
controls should enable authorized users to access the minimum necessary information needed to
perform job functions. Rights and/or privileges should be granted to authorized users based on a
set of access rules that the covered entity is required to
implement as part of § 164.308(a)(4), the Information Access
Management standard under the Administrative Safeguards
section of the Rule.
1 of 1 people found this helpful
Like Show 1 Likes(1)

Actions
Re: Priviledge Accounts Best Practices

d09h Oct 5, 2017 12:45 PM (in response to s-bolyard)

https://attack.mitre.org/wiki/Privilege_Escalation
1 of 1 people found this helpful
Like Show 1 Likes(1)

Actions
Re: Priviledge Accounts Best Practices

d09h Oct 5, 2017 12:49 PM (in response to s-bolyard)

http://cwe.mitre.org/data/definitions/266.html
1 of 1 people found this helpful
Like Show 1 Likes(1)

Actions
Re: Priviledge Accounts Best Practices

d09h Oct 5, 2017 1:09 PM (in response to s-bolyard)

Even personnel who do need admin privileges should use a non-privileged account whenever possible, and the privileged account whenever necessary.
Like Show 0 Likes(0)

Actions
Re: Priviledge Accounts Best Practices

s-bolyard Oct 5, 2017 2:14 PM (in response to s-bolyard)

Thank you d09h! I really appreciate. This is exactly what I needed.
Like Show 0 Likes(0)

Actions
- Re: Priviledge Accounts Best Practices
  
  d09h Oct 6, 2017 10:26 AM (in response to s-bolyard)
  
  Happy to help s-bolyard . With such a cavalier attitude toward security, you may find that your boss has issues on other fronts. You wouldn't want to be the next ransomware victim. Maybe you can get a security assessment done somehow to show where work is needed.
  
  Like Show 0 Likes(0)
  
  Actions

Go to original post