Microsoft Recommends Using a Separate Device For Administrative Tasks (zdnet.com) 177
In a rare article detailing insights about its staff's efforts in securing its own internal infrastructure, Microsoft has shared some very insightful advice on how companies could reduce the risk of having a security breach. From a report: The central piece of this article is Microsoft's recommendation in regards to how companies should deal with administrator accounts. Per Microsoft's Security Team, employees with administrative access should be using a separate device, dedicated only for administrative operations. This device should always be kept up to date with all the most recent software and operating system patches, Microsoft said. "Provide zero rights by default to administration accounts," the Microsoft Security Team also recommended. "Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system." Furthermore, the OS vendor also recommends that administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee's normal work identity.
"Buy twice as many computers from us!" (Score:3, Funny)
"What? Security? Privacy?! Don't be ridiculous! Just buy another machine for every machine you currently own."
Re: (Score:1)
Use a second device for admin tasks? (Score:5, Insightful)
Sure. Just let me get a Linux computer for logging into my bank accounts, transferring money, doing important confidential things... After all, if my second computer is for admin tasks only, then it doesn't need to be compatible with legacy Windows programs.
Actually, you could just forget the first computer and use the second computer for everything.
Re: (Score:1)
I use a linux desktop for everyday and RDP to computers for admin tasks.
My ldap account has no admin privilidges and connets to servers with an account for each service/server.
That's haw you run a windows network!
You want Chrome not Linux (Score:2)
Sure. Just let me get a Linux computer for logging into my bank accounts, transferring money, doing important confidential things... After all, if my second computer is for admin tasks only, then it doesn't need to be compatible with legacy Windows programs.
That is only a little better than a separate Windows system. Linux has exploits and malware too. What you really want to do is get a chromebook not a Linux system. Far more secure, far fewer opportunities for the end user to screw up than under Windows or Linux. Of course when running ChromeOS only, disable security and install Linux and you lose the chrome goodness.
Re: (Score:2)
Sure. Just let me get a Linux computer...
That is only a little better than a separate Windows system...
Bzzzzt! Wrong. Linux is way better and everybody knows it, including you, shill.
Re: (Score:2)
Actually, I agree, Chromebook is an interesting option re security, but it's a tough call vs, say, Debian Sid where the lag time for zero day patches is often measured in hours or even minutes. From that perspective, the signed, locked down image can easily increase the attack surface just by its age.
I'd be a whole lot more interested in the Chromebook option if Debian could produce a signed, locked down boot image for it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
There are some engineering design programs that will run on Linux. Even some targeted to Linux. But there are a lot of critical engineering design programs that are NOT on Linux.
Re: (Score:2)
There are some engineering design programs that will run on Linux. Even some targeted to Linux. But there are a lot of critical engineering design programs that are NOT on Linux.
The semiconductor design world runs on Linux. Every tool it a Linux tool and most are only Linux based.
Re: (Score:3, Insightful)
Except gaming
That tired refrain is a mighty stretch these days. Technically, Linux meets or beats Windows for gaming. Especially with AMD, the drivers are equivalent and the base Linux OS just kicks Windows in every way. Commercially, there are thousands of top quality games to play, more than anybody can possibly have time for. Including 50% of top 10, 59% of top 100, 56% of top 1000 [protondb.com] Steam games.
No, you really can't say "except gaming" any more. That was then. This is now. Steam put their muscle behind Linux gaming and
Re: (Score:3)
Let's take a look at those links....
Proton is a new tool released by Valve Software that has been integrated with Steam Play to make playing Windows games on Linux as simple as hitting the Play button within Steam.
Looks to me like you are full of shit when you talk about Linux gaming because none of those games are native to Linux. They are, in fact, Windows games being run through the use of an emulator, ABI, or the like.
Re: (Score:2)
none of those games are native to Linux
How does it feel to be an idiot? Top 10 native 40%; top 100 native 37%; top 1000 native 27% [protondb.com]
Re: (Score:3)
Commercially, there are thousands of top quality games to play, more than anybody can possibly have time for. Including 50% of top 10, 59% of top 100, 56% of top 1000 Steam games.
The problem is that most people don't want to play top quality games from 5 years ago, they want to play the latest ones. And as you point out, half the current top 10 games on Steam aren't available for Linux, so anyone spending significant chunks of change on a gaming PC is going to want Windows too.
Re: (Score:2)
Re: (Score:2)
It's a bit more than that... Microsoft's advice is pretty good, but it fits into a larger design for a secure network, which mostly wasn't understood when many corporate environments were built.
The first key concept is that all administrative activities should be delegated. If you need remote access for "working on everyone's machines", that account is also not a domain admin - it's a separate account with remote access rights and local administrator access configured via GPO. Preferably, it's not even a do
Re: (Score:1)
"Our software is so insecure, you'll probably need two licenses. One to administer the insecure junk, and the other to run the junk."
Re: (Score:1)
Sounds like Linux. Do you run everything on your root account?
They don't want you to buy a computer (Score:2)
In they end, they don't even want you to have a computer at all. Just rent ones in their cloud.
Re: (Score:1)
What they don't say (Score:2)
Re: (Score:2)
I have a thumb drive with a ubuntu on it for banking/etc. Before you go there, my main OS is OpenBSD so shove your bigoted "you should always use linux" crap right up your asses. This is my lawn and I have the moral high ground on it.
Re: (Score:1)
So you run a non-stock OpenBSD userland? Meaning, it has non-vetted software on it that the OpenBSD team doesn't directly control?
Yes, it sounds like you're probably right to boot a thumb-drive OS for when you need real security?
Re:What they don't say (Score:5, Insightful)
MS is not an organization one should listen to for advice on security.
Re:What they don't say (Score:5, Interesting)
This policy isn't new, it's almost as old as computing itself. Minimal rights assigned for a window of time is pretty obvious.
Some orgs use a VM as the Admin token machine, bringing it up long enough for updates and to cough tokens, then back to sleep. There is no "endless loop". Root and subsidiary admin rights are two different things. Some orgs go even farther and require MFA + fresh logons for each administrative change. Using tokens (Yubikeys, etc) + another auth factor (valid certs with an expiration) makes perfect sense.
But some people want admin/admin because of convenience. In the interim, lots of malware sniffs wires looking for auth traffic. Then you get jacked, one asset at a time, or maybe wholesale, or maybe just to make you look the fool you are.
and for software that needs to auto update? adding (Score:2)
and for software that needs to auto update? adding users?
people who don't want to pay to have two accounts per admin?
Re: (Score:2)
If you're an administrator, you can turn autoupdate on as default. Add users? Get an admin auth, add users, logoff before the cert expires, drink coffee.
Those paying for two admin accounts are in a pickle. There should NOT BE two admin accounts in a hierarchy. See how directory services infrastructure design works. AD or LDAP, same answer.
Re: (Score:2)
So a regular user, since there are no admins on the system, brings up a VM to issue tokens because some malware on the system is listening for passwords on the network?
One reason I use VM's is because I can easily duplicate them. What stops malware from duplicating, infecting, intercepting the VM? A VM isn't magic. Time and time again we have these stupid ideas that are supposed to protect us which completely ignore the main problem. People. It doesn't matter if you have admin privileges on a system. It ma
Re: (Score:2)
Your experience seems limited. Mine pre-dates Microsoft.
Re: (Score:2)
Re: (Score:1)
I had a SecureID card back when I worked for a large medical device multinational. I could use it to log onto my computer at work from home.
Then I installed Interix on my Windows 2000 box at work. I discovered that the Solaris infrastructure (this was a company with Solaris, OS2 and Windows networking layers all on the same wires) didn't know that my Windows 2000 and it's Interix subsystem wasn't Solaris. I could create local accounts on my Windows box, fire up Interix and access and manipulate the NFS s
Re: (Score:2)
If you were running Win2K at the time, it was probably NFS v3, which doesn't actually do any user authentication beyond "This client IP is allowed to mount this share".
Re: (Score:2)
What they don't explain is how they're supposed to do this ... without creating an endless loop. How does one admin authorize another admin to do something, when the first admin in turn would need to get "JIT" privileges to do so from a third admin.
If an admin does not need JIT privileges to authorize another admin to perform a task, there's no need for this 'endless loop'.
Re: (Score:2)
Re: (Score:2)
How does one admin authorize another admin to do something, when the first admin in turn would need to get "JIT" privileges to do so from a third admin. Lather, rinse, repeat. But, hey, it will sell an infinite number of PCs and OS licenses, which is always their goal.
They have one admin locked in the basement using a Linux laptop.
MS is not an organization one should listen to for advice on security.
MS is an organisation with a huge target painted on their head given they run develop the software running the worlds computers and provide services for a good chunk of the fortune 500 including storing of sensitive information on their behalf in their cloud offerings.
Yet we don't hear about breaches. So clearly they are doing something right.
Re: (Score:2)
And have lots of easy holes to aim for. To inaccurately paraphrase Wimpy [wikipedia.org]: "I will gladly pay you today for a security fix on Tuesday [wikipedia.org]."
Re: (Score:2)
What they don't explain is how they're supposed to do this...
you don't, The authorisation doesn't require another admin with higher privileges, it is a gatecheck where the nominated person authorises the access, they themselves don't need the privileges and could be a technical lead, a manager or just another admin. MS very much IS an organisation you should listen to on security. They are the second most attacked entity on the planet (first being US government).
Re: (Score:2)
Re: (Score:1)
Well, I'm an enterprise admin (one of three, plus additional login info in escrow locked in a literal vault as well as a DR site) for a large state university (over 50k users). We also have a single trusted admin at a sister state school who can get into our shit (and one of us, not me, can get into hers as well). Everything is dual factor.
Every once in a great while I get called for an 'oh shit, it's on fire' workorder after hours. Our enterprise admins each have a junk-assed old *BSD box (not going to say
Re: (Score:2)
Been doing that for years (Score:5, Funny)
And so we've come full circle... (Score:2)
No Internet for administrator (Score:4, Insightful)
The "no Internet for administrator" is the right thing to do, but the rule collapse as soon as you have to search the web how to do X or why Y fails.
Re: (Score:2)
I’m more worried about “no internet for accounting” than the system administrators.
The other accounts are much easier to lock down, and there is real and immediate concern for financial transactions...
Re: (Score:2)
How do you update a system as an admin without internet access?
Re: (Score:2)
Re: (Score:2)
How do you update a system as an admin without internet access?
WSUS server handles this easily. If you're anything bigger than a small business (like max 50 or so employees) and you're not running WSUS, you're doing it wrong.
Re: (Score:2)
Or run a Windows-based enterprise with Exchange/AD 2019 which automatically (and for some Microsoft licenses requires) publishes your stuff to the Azure cloud.
Only a rough start (Score:2)
No admin rights and all storage for everything on storage devices that are backed up. Any software installations done by documented and approved processes.
No USB, Firewire, SCSI or any other device ports allowed.
No direct Internet access, all through proxy servers which limit what sites you can access, and provide initial anti-virus/trojan ad-blocking...
All user systems wiped at the end of the day and restored from last good image.
This would reduce attacks by almost 90% or so.
Re:Only a rough start (Score:4, Interesting)
No USB, Firewire, SCSI or any other device ports allowed.
How does the device's keyboard connect? How does the user import or export data from or to the "storage devices that are backed up"?
No direct Internet access, all through proxy servers which limit what sites you can access, and provide initial anti-virus/trojan ad-blocking...
Does this proxy server MITM the credit union or bank that the user is checking while the user is on break?
Re: (Score:3)
Use your damn phone to check your bank account
Is there guest Wi-Fi? And is it similarly MITM'd?
Re: (Score:2)
Re: (Score:2)
Which introduces the problem of needing a wage raise to pay for data overages.
Re: (Score:2)
Most issues I have to deal with consist of people opening infected documents that the anti-virus/trojan protecting software hasn't detected. These software tend to affect bloated software that users demand but hardly use like MS Office. In my experience you would probable prevent 1% not 90% because the viruses will be stored and backed up. When user land software needs to run with elevated privileges it's a recipe for trouble.
It's stupid a user needs to be administrator to interact with peripherals. That'a
Re: (Score:2)
Servers should only boot from write-protected floppy.
No hard drives.
(i'm not joking, btw)
How many floppies are we talking about?
\
A windows server install with server apps could take days to boot.
Netboot FTW...
What's old is new again (Score:5, Funny)
May 2019: Microsoft discovers "sudo" -- We all welcome them to 1980.
Re: (Score:1)
Re: (Score:3)
No, it doesn't. It's one of the most annoying things to me as an admin trying to follow secure practices. Windows has it right with the GUI since Windows 7 with UAC - it's convenient enough that you want to use it, and it minimizes the surface of your system run in full permissions mode. For command line, however, Windows has nothing good. All Windows has for the command line terminal is 'runas', which is nowhere near as useful as 'sudo', and doesn't even elevate permissions like 'sudo' does, so it's nigh-o
Re: (Score:1)
Microsoft Recommends (Score:2)
reducing your attack surface.
At least they're talking about stuff they have experience in...
Re: (Score:2)
Well, they have a lot of surface to reduce, so it is easy to do _something_.
Furthermore... (Score:2)
So they know their stuff is insecure crap (Score:3)
Not really a surprise, but it is surprising that they admit that. I don't believe I have ever heard advice like that for any Unix or Unix-like OS.
Re: (Score:2)
Not really a surprise, but it is surprising that they admit that. I don't believe I have ever heard advice like that for any Unix or Unix-like OS.
Well maybe not but I would consider something like it.
Last year I was looking into the open-source Ansible tool to maintain all my servers. I don't really have that many (a dozen or so) but I was still very attracted to the possible elimination of so many repetitive tasks.
Ultimately I realized that in order to be effective the system using Ansible would have to have private keys that could be used to acquire root privileges on every target system. Not even my laptop has that. (Private keys to every
Re: (Score:3)
Common wisdom has it that it is not needed. The rationale is a bit like this: If system administration is bad enough (and in *nix it is the sysadmin that lets most attackers in, not a flawed OS), then the systems you log into are just as easily attacked. Hence you do not win a lot but have a lot more effort. Of course, you do some hardening on the machine. Also note that user-separation is a lot better and local privilege escalation a lot harder on a well administrated *nix system than on Windows. Apparentl
Re: (Score:3)
I think there is a philosophical difference, to be sure. No one would grant a *nix user root access. In ye olden days, you would use su and in modern times you would use sudo. Not that having access to those commands doesn't come with the risks, but in general, if you're logged on to a *nix system, privileges are generally defined as folder and file access, and root privileges are something you grab, as a sysadmin, when you need them. I suppose if you allow root logins for X sessions or something like that,
Re: (Score:2)
in modern times you would use sudo.
[...]
everything since then has become kludgy workarounds (like UAC).
In practice, what's the difference between the UAC flow and the sudo flow?
Re: (Score:3)
sudo is small, compact and uses exactly two simple and clear mechanisms from the OS, the suid/sgit bits and a standard privilege drop. It has a simple and clear plain-text configuration. UAC is an intransparent, complicated mess.
Re: (Score:2)
I think it's a philosophical difference. When I have to go into a shell to do a root-level operation, I'm actually putting some thought into what I'm doing. I think it's the difference between a GUI mentality and a CLI mentality. When I need to go into /etc via bash and I'm using "sudo vi whatever.conf" I'm far more conscious than when I double click on a protected file in a file browser and getting a permissions escalation dialog. I have the same complaint about such mechanisms in any GUI.
Re: (Score:1)
if you're logged on to a *nix system, privileges are generally defined as folder and file access,
And the irony is that the most valuable part of the system is the user's content in the ~/ home directory hierarchy. Everything else can be spun back off of an ISO and an Updates server.
The only thing that matters is the part left wide open and vulnerable.
Yeah, I know. Sysadmins have more important matters to worry about than user content.
Re: (Score:2)
And the irony is that the most valuable part of the system is the user's content in the ~/ home directory hierarchy. Everything else can be spun back off of an ISO and an Updates server.
That is very much not true on the typical server system. On a desktop system, yes, but I trust you have backups?
Re: (Score:2)
True, but so long as someone can't get access to root privileges, at least the operating system can't be compromised. Once that happens all bets are off.
Re: (Score:2)
Nonsense. I use direct root login and root login via ssh. That is _more_ secure than using su or sudo when needing to do things as root. The whole reasoning is flawed. Ubuntu started doing it for root access at some time and far too many others followed mindlessly. The whole approach is targeted at systems maintained by their users and sparing them learning a second password.
Re: (Score:2)
It may be a bit of security through obscurity, but I have root login disabled in sshd. Yes someone could still potentially hack my account via dictionary attack, but every *nix system has the root user.
Re: (Score:2)
Re: (Score:2)
With regular Ansible you can use a passworded SSH key; this is the sort of use case SSH keys are for. You will need to use NOPASSWD for the sudo commands Ansible will need, one possibility would be to use a service account which only allows login via SSH key to minimize attack vectors (still not ideal).
Things get easier with Ansible Tower, as there's a full featured credential system in there. A minimal use of it would be to configure the jobs to prompt for a username/password at the beginning, or select
Re: (Score:1)
Hell (Score:2)
Re: (Score:1)
Re: (Score:2)
All non manual labor jobs are at least 75% adult daycare.
1) Incompetence, 2) Marketing Gimmick, 3) Both (Score:1)
There are 3 ways I can see to interpret this:
1. Windows is so leaky that you need physical separation.
2. A ploy to sell more OS licenses because you need 2 PC's instead of 1.
3. Both
#3 reminds me of a company I once worked for. It was a chemical plant engineering company that merged with an environmental cleanup company. The merger then was actually getting paid to clean up their own messes.
Contractors for special military contracts were ofte
Windows (Score:1)
Enjoy the GPU and CPU support. What MS supports games creators with.
Try any real OS for anything that's important.
Microsoft Security (Score:2)
b. Provide zero rights by default to administration accounts
c. Administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee's normal work identity.
d. Boot from a Linux CD [distrowatch.com] and do your admin tasks from there.
Separation (Score:2)
And, indeed, let me reiterate something that I've been saying for years.
To perform any kind of non-ordinary-user task on a machine (i.e. not inside, related to, or via a "user profile" of some kind, but actually on the machine itself - whether installing software that affects all users, adding drivers, updating the OS or whatever) you should NOT have to... log in as an ordinary user via the normal process but with special privileges.
What you *should* be doing is switching the computer to a maintenance mode.
Re: (Score:2)
Nice wish list. Sounds more like magic than how computers work but I will point out the closest things to your description and it's the computing device I trust the least. My phone. I bought and paid it in full and yet don't have access to make any changes. I have no idea what the software does and no way to install anything on it to determine how my information is used. Yet we hear reports of malware creeping into the system. This single user system is the least trustworthy of all my systems. It's also the
Re: (Score:2)
All of this is swell if you handling classified state secrets. My company's departmental PowerPoint presentations on how little IT got done on the project this week aren't worth this sort of hassle.
There's NOTHING at my company I think is worth this hassle.
There's probably NOTHING at 90% of the companies using the recommendations in TFA that are worth the extra hassle.
But SOMETHING has to justify the IT budget, and make users feel like SOMETHING is being done. And that's why our computers keep getting more
God fucking damn it (Score:2)
I am so sick of this.
The corporation I woprk at is doing a lot of this stuff and it's killing the IT department, forcing to waste time with extra "virtual paperwork" and slowing the workflow with special requests for temporarly local admin rights to perform even the most basic functions when trying to fix a problem...
Re: (Score:2)
Your pain is largely caused by your company's bureaucratic implementation.
It is possible to follow the guidance in with minimal disruption. Some processes may need to change, but it's not really bad.
If there is a lot of paperwork for JIT privileges (and you use JIT privileges frequently), then someone screwed up. I don't know where the blame lies because I don't know your company. Plus, Microsoft's guidance does not exclusively recommend JIT privilege assignment; there are alternatives.
Of course, your exper
This is very old news (Score:2)
Microsoft has recommended this practice for a long time as a mitigation of pass-the-hash attacks [microsoft.com].
If you are accessing the internet and managing your servers from the same OS... you are doing it wrong. This isn't just a Microsoft thing either, although it is critical in a primarily Windows environment.
There are free virtualization options. Or, for the most basic solution, extra admin workstations are a drop in the bucket compared to most corporate infrastructure.
Quebes OS or Containerization? (Score:2)
The best moves you can make for security are going Open Source as much as possible, having code and infrastructur
How could we make it more onerous? (Score:2)
My company makes developers use a separate account for privileged operations. So I wind up entering a second set of credentials several DOZEN times a day. I literally just spent an hour and a half fighting this to try Elasticsearch. Ultimately, there was so much confusion caused between installing under the privileged account, and running it under the normal account, that I finally just uninstalled it, downloaded the zip, and ran in by hand in a command window. (Thank goodness the Elastic guys offer this so
Re: (Score:1)
Re:Duh wha? (Score:5, Funny)
and the access only lasts for 5 minutes before reverting.
Because everything an administrator needs to do can be done in less than 5 minutes.
Re: (Score:2)
Oh that would be a joy when I'm trying to figure out why an Exchange mailbox file isn't mounting! Every five minutes, on top of trying a metric butt-ton of bizarre half-page long Powershell commands, I get to re-request admin access. Yeah, that will just make things go more smoothly.
"Oh hell, it's secure! There ain't nobody on the fucking planet who can complete the diagnostic and get to the data."
Re: (Score:1)
Wait, let me get this straight...
"Deny all and then make exceptions..."
What a novel idea!
If only someone could come up with a command for a superuser to do something. MS really should patent this idea.
Re:Duh wha? (Score:5, Insightful)
Re: (Score:2)
The underlying OS may be pretty good (though I still find it an inelegant beast compared to *nix), but Windows 10's GUI is a bug-ridden and fragile mess. It's like the old Active Desktop on steroids, and just as quirky.
Re: (Score:1)
Don't be silly. We paid good money to have them install a network jack in the bathroom closet so we could put the mail server in there.
Re: (Score:1)
just like our lives in front of such badly run computers.
Are you talking about the computer you are running?