Morey Haber, CTO & CISO, BeyondTrust, explains the what, why and how to implement a passwordless administration.
Passwordless administration — a use case offered via Privileged Access Management (PAM) — refers to the ability to perform administrative functions on an endpoint without the need for privileged or administrator credentials. The concept of passwordless administration is generally linked to just-in-time (JIT) privileged access management since the methods of applying passwordless administration can cover several technologies to temporarily elevate the user or the application (preferred method) for the specific requested task. In other words, in lieu of entering secondary administrative credentials for a task that requires elevation, the user is trusted based on context (or attributes) to run the application in an elevated state — without an additional challenge and response mechanism.
The need for Passwordless Administration
The mushrooming quantity of administrative accounts with excessive privileges makes them an easy and favoured target for threat actors. Each of these admin accounts is an attack vector that offers a successful attacker administrative capability over the entitlements to which the admin account is assigned.
Typically, administrative accounts are assigned with privileges en masse, since administrative functions are needed by end-users all the way through to true system, network, and database administrators — the accounts that often have access to the organization’s most valuable information (trade secrets, etc.).
Unfortunately, administrative/superuser accounts are also often assigned to regular end-users so they can add a printer, run a specific program, or even change network settings.
Consider the following applications and tasks that still need administrative rights on a standard Windows endpoint:
• The ability to modify system settings or change operating system features within Windows Settings or Control Panel
• The ability to install or uninstall applications
• The ability to edit the registry, or modify files within the Windows operating system or protected files within program files
• The ability to execute programs that require administrative rights based on how they are compiled or their interaction with the operating system, network, or file system
• The ability to execute programs that have their own update mechanisms to provide the latest versions for security and features
• The ability to install browser plug-ins and extensions
All these are valid use cases and require administrator credentials to perform the tasks. While modern Windows systems have made huge headways in managing privileges, in a typical day, a user will need to have administrative rights to perform any of these functions. Typically, this is granted by issuing a secondary administrator account for the host, or worse, just making their current credentials a local administrator. The outcome of both of these choices is high-risk configurations that greatly expand the threat surface of malware, ransomware, and malicious behaviour.
The dilemma becomes how to remove administrative credentials from both personas to mitigate the risks from a threat actor targeting these accounts. The answer is relatively simple — passwordless administration, which can enable users to perform these job-related functions without requiring any additional credentials or introducing unnecessary risks.
With Forrester Research implicating privileged credentials in 80% of breaches, the elimination of privileged passwords wherever possible greatly reduces the threat surface. This premise is further buttressed by the fact that 77% of Microsoft critical vulnerabilities can be mitigated by the removal of admin rights, and a similar reduction is also demonstrable by enforcing least privilege on third-party applications.
As such, every endpoint security strategy should consider using passwordless administration as a layer of security after antivirus to mitigate the most prevalent privileged attack vectors. This approach precedes the implementation of any EDR, MDR, or XDR strategy — or even the use of dedicated web proxy and protocol inspection technologies. Why? Because simply by removing administrative rights and enforcing reputation-based application control, vast threat surface can be eliminated outright or at least condensed. This includes for such threats as dangerous payloads and fileless malware.
Steps to implement Passwordless Administration
Passwordless administration only requires two preliminary steps within any organization to move it from concept to reality. First it is essential to identify which tasks require administrative privileges to operate and next, identify which users need to execute them.
Then, passwordless administration can be applied based on features available in many operating systems (although they are limited) or by deploying a privileged access management solution for your environment.
Passwordless Administration Methods
Passwordless administration can come in a variety of forms and support zero trust architectures, software-defined perimeters, and change control best practices for any environment. Consider the following security controls:
• Zero Trust: All applications are considered blacklisted unless explicitly allowed based on attributes, and the privileges for execution are strictly controlled. Detailed logging is provided for all privileged activity and application privileges are elevated, never the end user, to ensure the control and data planes for zero trust remain completely separate.
• Software-Defined Perimeter: All applications and user privileges are controlled on the endpoint for maximum endpoint security. The software executing on the endpoint actually becomes hardened as a part of your software security strategy. This includes controlling functions like blocking child processes and attribute-based context control for application runtime (i.e. allowing an application to run while in the office, but blocking it when run at home or on a wireless network).
• Change Control: All application execution and modifications, including software updates, can be controlled with complete integration into an ITSM solution to ensure no inappropriate activity, changes, or malware infects the system.
• Reputation Services: Application control can be performed by attributes and verified against third-party sources and origin of the executable to ensure that no malware is present.
If you consider the context of all of these security controls, it is possible to perform passwordless administration based on rules and policies for operating system tasks and applications that need administrative rights.
The key to effectively implementing this strategy starts with a universal privileged management approach to privileged access management. Management, information technology, and information security professionals must agree that a user should not have local administrative rights, and all and users should operate with standard user privileges. Then, policies and rules can be set in place to perform elevation for the proper tasks using industry-standard best practices for endpoint privilege management.