In IT, administrators (‘admins’) hold the keys to the kingdom. They can change system settings, create new users, and delete resources. It’s why they’re often targeted by threat actors – a compromised admin account can hamstring your business, hold critical data for ransom, and even lock you out of your IT system entirely.
To comply with Maturity Level One of the Essential Eight, Australia’s national cyber security framework, you need to restrict access to admin privileges. That means only letting certain people be admins – and being strict about where (and how) they can use their accounts.
This guide explains everything you need to know about implementing the ‘Restrict administrative privileges’ strategy. Even if you’re working with a managed IT provider like us, understanding the implementation process is important – especially if Essential Eight compliance is required for things like government contracts or your cyber insurance.
This article is part of a series on implementing the Essential Eight to Maturity Level 1. Read other articles in the series here.
What Is the Principle of Least Privilege?
Before we look at the Essential Eight controls around privileged access, there’s a concept that’s worth understanding: the principle of least privilege (PoLP).
Like other Zero Trust principles, PoLP works on a just-enough-access basis. Apps and users should have the minimum level of access required to perform their duties – in other words, if they don’t need it, don’t give it to them. The basic logic is that, if a user’s account is ever compromised, the blast radius – how broadly an adversary can penetrate your IT environment – is limited.
Role-Based Access Control
Role-based access control (RBAC) is a complementary concept in Microsoft 365. To implement PoLP, you need some way of restricting who can view and access your system resources. That way is RBAC, and it’s a prerequisite for meeting the Essential Eight controls discussed elsewhere in this guide.
Using Microsoft Azure, your IT provider can assign specific roles (collections of permissions, such as ‘Read’, ‘Write’ and ‘Delete’) to specific users, then define which resources those user roles apply to. For example, you might want your marketing team to be able to view certain data – but only allow your finance team to edit or delete that data.
RBAC isn’t anything particularly unusual. Almost all IT systems have an equivalent. Keeping your user roles up to date, though, is a different challenge – you’ll need to work with your IT provider to define the levels of access that groups of people in your organisation should have to different sets of resources.
Privileged Access Requests
Essential Eight Controls:
- Requests for privileged access to systems, applications and data repositories are validated when first requested.
The first and most straightforward control under the ‘restrict administrative privileges’ strategy involves logging and checking requests for privilege escalation. None of your staff should gain privileged access without a clear, documented trail. That could be support ticket, an email, or an access form submission – the main thing is that there’s an on-paper process that gets followed.
Before a staff member’s privilege level can be escalated, you’ll also need documented support from their supervisor or the owner of the app/data repository in question. That’s not pointless red tape. If a threat actor compromises a staff member’s account, they’ll try to gain more access, and an easy way to do that is by requesting higher privileges.
Entitlement management through Microsoft Entra is the simplest pathway for both your users and their approvers. Your IT provider can create different policies for different purposes (which regulates things like approvals and access expiration), which can then be applied to access packages – specific bundles of apps/services and their associated permissions.
If that sounds confusing, don’t worry. Your staff just need to log into a single portal (myaccess.microsoft.com) with links to all available access packages. They can then request access to whatever they need, and the relevant approver(s) will be automatically notified.
Privileged User Accounts
Essential Eight Controls:
- Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.
- Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.
- Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.
- Privileged users use separate privileged and unprivileged operating environments.
- Unprivileged user accounts cannot log on to privileged operating environments.
- Privileged user accounts (excluding local administrator accounts) cannot log on to unprivileged operating environments.
When you think of accounts have ‘privilege levels’, it’s tempting to draw an analogy with physical keys. Your company’s CEO, for example, might have access to everything in your building – whereas junior staff only need keys that unlock, say, the main door.
Realistically, though, your user accounts are more like clothes. Your standard Microsoft 365 account is the attire you wear to the office – your ‘daily driver’. Your privileged account, on the other hand, is more like a hazmat suit. It’s uncomfortable, awkward, and only worn when doing very specific, high-risk tasks. Those hazardous tasks are anything that requires admin access.
The ASD defines ‘privileged accounts’ as ‘those which can alter or circumvent a system’s controls. This can also apply to users who have only limited privileges, such as software developers, but can still bypass controls. A privileged account often has the ability to modify system configurations, account privileges, event logs and security configurations for applications.’
While that’s quite vague, it basically covers any Microsoft 365 admin role with Create, Update or Delete permissions.
Assign Admin Accounts
The first step you need to take to comply with the Essential Eight: get the right people hazmat suits. (Remember, as per the principle of least privilege, the fewest number of people possible should have admin accounts.) They’ll need both a user account and an admin account, with the latter only used for tasks that require admin access.
Separate Operating Environments
In the same way that you wouldn’t wear your hazmat suit in the office (or your ‘daily driver’ attire in a hazardous area), your privileged and unprivileged accounts should never be used to log onto the same physical device. Instead, you’ll need separate workstations for both.
That could mean, for example, having an ‘admin computer’ set up in a corner of the office uses role-based access control to prevent unprivileged uses from logging. You’d also need RBAC to prevent the opposite from happening – admin accounts logging onto general-use workstations.
Ideally, any ‘admin computers’ will be privileged access workstations (PAWs). PAWs normally:
- only allow access to a handful of critical websites, such as Microsoft
- have all non-critical internet-connected apps blocked through something like ThreatLocker
- are prioritised in patch rollouts
- block USB devices.
Together, those controls significantly reduce PAWs’ attack surfaces, which means they’re less likely to be compromised.
An alternative, less secure option is to have virtually separated operating environments. For example, you could set up PAWs for your admins, but allow them to access unprivileged virtual desktops (VDIs) from the same physical device. That means your admins can perform their daily tasks and admin tasks without switching machines. It does, however, open them up to certain kinds of attacks, such as keyloggers.
Normally, your IT provider will handle all admin tasks for you, so you won’t need to worry about PAWs or VDIs. If you do have in-house staff using privileged accounts, though, you’ll need to set up different operating environments.
Prevent Internet Access
The Essential Eight assessment framework requires that privileged users be blocked from using the internet and accessing email – unless they need that access to undertake privileged tasks. If you’ve separated your operating environments, your privileged accounts will only be able to log into PAWs, which should have little to no internet access.
It’s also worth noting that your privileged accounts should not have Microsoft 365 licences. A 365 licence is required for things like email mailboxes, so there’s no reason an admin needs one.
Need help reaching Essential Eight Maturity Level 1? We help Australian SMBs strengthen their security postures – without affecting business productivity.
More Essential Eight Implementation Guides
Read other articles in our series on reaching Essential Eight Maturity Level 1.
