Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security IT Technology

Microsoft Recommends Using a Separate Device For Administrative Tasks (zdnet.com) 177

In a rare article detailing insights about its staff's efforts in securing its own internal infrastructure, Microsoft has shared some very insightful advice on how companies could reduce the risk of having a security breach. From a report: The central piece of this article is Microsoft's recommendation in regards to how companies should deal with administrator accounts. Per Microsoft's Security Team, employees with administrative access should be using a separate device, dedicated only for administrative operations. This device should always be kept up to date with all the most recent software and operating system patches, Microsoft said. "Provide zero rights by default to administration accounts," the Microsoft Security Team also recommended. "Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system." Furthermore, the OS vendor also recommends that administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee's normal work identity.
This discussion has been archived. No new comments can be posted.

Microsoft Recommends Using a Separate Device For Administrative Tasks

Comments Filter:
  • by Anonymous Coward on Thursday May 09, 2019 @05:12PM (#58566210)

    "What? Security? Privacy?! Don't be ridiculous! Just buy another machine for every machine you currently own."

    • It's called a PAW, and there are multiple ways to do it.
    • by goose-incarnated ( 1145029 ) on Thursday May 09, 2019 @05:55PM (#58566388) Journal

      Sure. Just let me get a Linux computer for logging into my bank accounts, transferring money, doing important confidential things... After all, if my second computer is for admin tasks only, then it doesn't need to be compatible with legacy Windows programs.

      Actually, you could just forget the first computer and use the second computer for everything.

      • by Anonymous Coward

        I use a linux desktop for everyday and RDP to computers for admin tasks.

        My ldap account has no admin privilidges and connets to servers with an account for each service/server.

        That's haw you run a windows network!

      • Sure. Just let me get a Linux computer for logging into my bank accounts, transferring money, doing important confidential things... After all, if my second computer is for admin tasks only, then it doesn't need to be compatible with legacy Windows programs.

        That is only a little better than a separate Windows system. Linux has exploits and malware too. What you really want to do is get a chromebook not a Linux system. Far more secure, far fewer opportunities for the end user to screw up than under Windows or Linux. Of course when running ChromeOS only, disable security and install Linux and you lose the chrome goodness.

        • Sure. Just let me get a Linux computer...

          That is only a little better than a separate Windows system...

          Bzzzzt! Wrong. Linux is way better and everybody knows it, including you, shill.

    • by Anonymous Coward

      "Our software is so insecure, you'll probably need two licenses. One to administer the insecure junk, and the other to run the junk."

    • They want your "Microsoft Account" in their cloud to be the Admin server.

      In they end, they don't even want you to have a computer at all. Just rent ones in their cloud.

  • Is use this device only for administrative tasks. No email, no web surfing, no Facebook, no games.
    • Honestly its a no brainer to at least have a partition with a different OS from what you use daily for "administrative tasks" (for home users, consider any sort of online banking/commerce as an "administrative task")

      I have a thumb drive with a ubuntu on it for banking/etc. Before you go there, my main OS is OpenBSD so shove your bigoted "you should always use linux" crap right up your asses. This is my lawn and I have the moral high ground on it.
      • So you run a non-stock OpenBSD userland? Meaning, it has non-vetted software on it that the OpenBSD team doesn't directly control?

        Yes, it sounds like you're probably right to boot a thumb-drive OS for when you need real security?

    • by msauve ( 701917 ) on Thursday May 09, 2019 @05:45PM (#58566352)
      What they don't explain is how they're supposed to do this...

      Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.

      ...without creating an endless loop. How does one admin authorize another admin to do something, when the first admin in turn would need to get "JIT" privileges to do so from a third admin. Lather, rinse, repeat. But, hey, it will sell an infinite number of PCs and OS licenses, which is always their goal.

      MS is not an organization one should listen to for advice on security.

      • by postbigbang ( 761081 ) on Thursday May 09, 2019 @06:04PM (#58566430)

        This policy isn't new, it's almost as old as computing itself. Minimal rights assigned for a window of time is pretty obvious.

        Some orgs use a VM as the Admin token machine, bringing it up long enough for updates and to cough tokens, then back to sleep. There is no "endless loop". Root and subsidiary admin rights are two different things. Some orgs go even farther and require MFA + fresh logons for each administrative change. Using tokens (Yubikeys, etc) + another auth factor (valid certs with an expiration) makes perfect sense.

        But some people want admin/admin because of convenience. In the interim, lots of malware sniffs wires looking for auth traffic. Then you get jacked, one asset at a time, or maybe wholesale, or maybe just to make you look the fool you are.

        • and for software that needs to auto update? adding users?
          people who don't want to pay to have two accounts per admin?

          • If you're an administrator, you can turn autoupdate on as default. Add users? Get an admin auth, add users, logoff before the cert expires, drink coffee.

            Those paying for two admin accounts are in a pickle. There should NOT BE two admin accounts in a hierarchy. See how directory services infrastructure design works. AD or LDAP, same answer.

        • by MeNeXT ( 200840 )

          So a regular user, since there are no admins on the system, brings up a VM to issue tokens because some malware on the system is listening for passwords on the network?

          One reason I use VM's is because I can easily duplicate them. What stops malware from duplicating, infecting, intercepting the VM? A VM isn't magic. Time and time again we have these stupid ideas that are supposed to protect us which completely ignore the main problem. People. It doesn't matter if you have admin privileges on a system. It ma

      • by Agret ( 752467 )
        I'm guessing you use something like a smart card or auth token generated by a phone app to temporarily elevate your admin rights.
        • I had a SecureID card back when I worked for a large medical device multinational. I could use it to log onto my computer at work from home.

          Then I installed Interix on my Windows 2000 box at work. I discovered that the Solaris infrastructure (this was a company with Solaris, OS2 and Windows networking layers all on the same wires) didn't know that my Windows 2000 and it's Interix subsystem wasn't Solaris. I could create local accounts on my Windows box, fire up Interix and access and manipulate the NFS s

          • If you were running Win2K at the time, it was probably NFS v3, which doesn't actually do any user authentication beyond "This client IP is allowed to mount this share".

      • by axlash ( 960838 )

        What they don't explain is how they're supposed to do this ... without creating an endless loop. How does one admin authorize another admin to do something, when the first admin in turn would need to get "JIT" privileges to do so from a third admin.

        If an admin does not need JIT privileges to authorize another admin to perform a task, there's no need for this 'endless loop'.

        • by msauve ( 701917 )
          If an admin does not need JIT privileges to authorize another admin then they're not following the recommendation, are they?
      • How does one admin authorize another admin to do something, when the first admin in turn would need to get "JIT" privileges to do so from a third admin. Lather, rinse, repeat. But, hey, it will sell an infinite number of PCs and OS licenses, which is always their goal.

        They have one admin locked in the basement using a Linux laptop.

        MS is not an organization one should listen to for advice on security.

        MS is an organisation with a huge target painted on their head given they run develop the software running the worlds computers and provide services for a good chunk of the fortune 500 including storing of sensitive information on their behalf in their cloud offerings.

        Yet we don't hear about breaches. So clearly they are doing something right.

        • by msauve ( 701917 )
          "MS is an organisation with a huge target painted on their head given they run develop the software..."

          And have lots of easy holes to aim for. To inaccurately paraphrase Wimpy [wikipedia.org]: "I will gladly pay you today for a security fix on Tuesday [wikipedia.org]."
      • What they don't explain is how they're supposed to do this...

        Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.

        ...without creating an endless loop. How does one admin authorize another admin to do something, when the first admin in turn would need to get "JIT" privileges to do so from a third admin. Lather, rinse, repeat. But, hey, it will sell an infinite number of PCs and OS licenses, which is always their goal. MS is not an organization one should listen to for advice on security.

        you don't, The authorisation doesn't require another admin with higher privileges, it is a gatecheck where the nominated person authorises the access, they themselves don't need the privileges and could be a technical lead, a manager or just another admin. MS very much IS an organisation you should listen to on security. They are the second most attacked entity on the planet (first being US government).

        • by msauve ( 701917 )
          Oh, so they don't follow the recommendation in order to follow the recommendation, that makes perfect MS sense.
    • by Anonymous Coward

      Well, I'm an enterprise admin (one of three, plus additional login info in escrow locked in a literal vault as well as a DR site) for a large state university (over 50k users). We also have a single trusted admin at a sister state school who can get into our shit (and one of us, not me, can get into hers as well). Everything is dual factor.

      Every once in a great while I get called for an 'oh shit, it's on fire' workorder after hours. Our enterprise admins each have a junk-assed old *BSD box (not going to say

    • no, that is EXACTLY what they do say and is well covered in their tiered administration and PAW/SAW recommendations
  • by PinkyGigglebrain ( 730753 ) on Thursday May 09, 2019 @05:19PM (#58566232)
    For the last 2 decade or so I've had one Windows system for nothing but playing games, and another Linux system for everything else.
  • From mainframes with terminals both common and admin uses to homogenized PCs and phones with universal access through secure channels and back to discrete terminals accessing the cloud with both common and admin uses!
  • by manu0601 ( 2221348 ) on Thursday May 09, 2019 @05:24PM (#58566260)

    The "no Internet for administrator" is the right thing to do, but the rule collapse as soon as you have to search the web how to do X or why Y fails.

    • I’m more worried about “no internet for accounting” than the system administrators.

      The other accounts are much easier to lock down, and there is real and immediate concern for financial transactions...

    • by MeNeXT ( 200840 )

      How do you update a system as an admin without internet access?

      • by wwphx ( 225607 )
        25 years ago where I was at we had two physical boxes, one for admin work, one for regular work: two 15" monitors, two logins. Download patches at our non-admin boxes, copy them onto a share, applied them from our admin side. Worked fine. No email on the admin account, no internet access. CDs and shares were our transfer points. We didn't have USB back then as I recall.
      • How do you update a system as an admin without internet access?

        WSUS server handles this easily. If you're anything bigger than a small business (like max 50 or so employees) and you're not running WSUS, you're doing it wrong.

  • No admin rights and all storage for everything on storage devices that are backed up. Any software installations done by documented and approved processes.

    No USB, Firewire, SCSI or any other device ports allowed.

    No direct Internet access, all through proxy servers which limit what sites you can access, and provide initial anti-virus/trojan ad-blocking...

    All user systems wiped at the end of the day and restored from last good image.

    This would reduce attacks by almost 90% or so.

    • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Thursday May 09, 2019 @07:28PM (#58566648) Homepage Journal

      No USB, Firewire, SCSI or any other device ports allowed.

      How does the device's keyboard connect? How does the user import or export data from or to the "storage devices that are backed up"?

      No direct Internet access, all through proxy servers which limit what sites you can access, and provide initial anti-virus/trojan ad-blocking...

      Does this proxy server MITM the credit union or bank that the user is checking while the user is on break?

    • by MeNeXT ( 200840 )

      Most issues I have to deal with consist of people opening infected documents that the anti-virus/trojan protecting software hasn't detected. These software tend to affect bloated software that users demand but hardly use like MS Office. In my experience you would probable prevent 1% not 90% because the viruses will be stored and backed up. When user land software needs to run with elevated privileges it's a recipe for trouble.

      It's stupid a user needs to be administrator to interact with peripherals. That'a

  • by fahrbot-bot ( 874524 ) on Thursday May 09, 2019 @05:33PM (#58566296)

    ...the Microsoft Security Team also recommended. "Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system."

    May 2019: Microsoft discovers "sudo" -- We all welcome them to 1980.

    • MS has had this for almost 20 years...welcome to 1999.
      • No, it doesn't. It's one of the most annoying things to me as an admin trying to follow secure practices. Windows has it right with the GUI since Windows 7 with UAC - it's convenient enough that you want to use it, and it minimizes the surface of your system run in full permissions mode. For command line, however, Windows has nothing good. All Windows has for the command line terminal is 'runas', which is nowhere near as useful as 'sudo', and doesn't even elevate permissions like 'sudo' does, so it's nigh-o

    • by tanawts ( 786512 )
      https://www.microsoft.com/en-u... [microsoft.com] Think approval gated, JIT remote login authorization for administration of systems, not just local OS Privilege escalation, but also dynamically for, remote systems, webapps, and cloud resources. ;)
  • reducing your attack surface.

    At least they're talking about stuff they have experience in...

  • The OS vendor recommends using the computer as a clipboard to securely hand write secure messages in invisible ink.
  • by gweihir ( 88907 ) on Thursday May 09, 2019 @05:57PM (#58566400)

    Not really a surprise, but it is surprising that they admit that. I don't believe I have ever heard advice like that for any Unix or Unix-like OS.

    • Not really a surprise, but it is surprising that they admit that. I don't believe I have ever heard advice like that for any Unix or Unix-like OS.

      Well maybe not but I would consider something like it.

      Last year I was looking into the open-source Ansible tool to maintain all my servers. I don't really have that many (a dozen or so) but I was still very attracted to the possible elimination of so many repetitive tasks.

      Ultimately I realized that in order to be effective the system using Ansible would have to have private keys that could be used to acquire root privileges on every target system. Not even my laptop has that. (Private keys to every

      • by gweihir ( 88907 )

        Common wisdom has it that it is not needed. The rationale is a bit like this: If system administration is bad enough (and in *nix it is the sysadmin that lets most attackers in, not a flawed OS), then the systems you log into are just as easily attacked. Hence you do not win a lot but have a lot more effort. Of course, you do some hardening on the machine. Also note that user-separation is a lot better and local privilege escalation a lot harder on a well administrated *nix system than on Windows. Apparentl

        • I think there is a philosophical difference, to be sure. No one would grant a *nix user root access. In ye olden days, you would use su and in modern times you would use sudo. Not that having access to those commands doesn't come with the risks, but in general, if you're logged on to a *nix system, privileges are generally defined as folder and file access, and root privileges are something you grab, as a sysadmin, when you need them. I suppose if you allow root logins for X sessions or something like that,

          • by tepples ( 727027 )

            in modern times you would use sudo.
            [...]
            everything since then has become kludgy workarounds (like UAC).

            In practice, what's the difference between the UAC flow and the sudo flow?

            • by gweihir ( 88907 )

              sudo is small, compact and uses exactly two simple and clear mechanisms from the OS, the suid/sgit bits and a standard privilege drop. It has a simple and clear plain-text configuration. UAC is an intransparent, complicated mess.

            • I think it's a philosophical difference. When I have to go into a shell to do a root-level operation, I'm actually putting some thought into what I'm doing. I think it's the difference between a GUI mentality and a CLI mentality. When I need to go into /etc via bash and I'm using "sudo vi whatever.conf" I'm far more conscious than when I double click on a protected file in a file browser and getting a permissions escalation dialog. I have the same complaint about such mechanisms in any GUI.

          • if you're logged on to a *nix system, privileges are generally defined as folder and file access,

            And the irony is that the most valuable part of the system is the user's content in the ~/ home directory hierarchy. Everything else can be spun back off of an ISO and an Updates server.

            The only thing that matters is the part left wide open and vulnerable.

            Yeah, I know. Sysadmins have more important matters to worry about than user content.

            • by gweihir ( 88907 )

              And the irony is that the most valuable part of the system is the user's content in the ~/ home directory hierarchy. Everything else can be spun back off of an ISO and an Updates server.

              That is very much not true on the typical server system. On a desktop system, yes, but I trust you have backups?

            • True, but so long as someone can't get access to root privileges, at least the operating system can't be compromised. Once that happens all bets are off.

          • by gweihir ( 88907 )

            Nonsense. I use direct root login and root login via ssh. That is _more_ secure than using su or sudo when needing to do things as root. The whole reasoning is flawed. Ubuntu started doing it for root access at some time and far too many others followed mindlessly. The whole approach is targeted at systems maintained by their users and sparing them learning a second password.

            • It may be a bit of security through obscurity, but I have root login disabled in sshd. Yes someone could still potentially hack my account via dictionary attack, but every *nix system has the root user.

      • There are ways to deal with this. For instance, keep the ssh keys on a USB drive, and plug in only when you need to run Ansible. Leave your local admin account on the servers, just in case!
      • With regular Ansible you can use a passworded SSH key; this is the sort of use case SSH keys are for. You will need to use NOPASSWD for the sudo commands Ansible will need, one possibility would be to use a service account which only allows login via SSH key to minimize attack vectors (still not ideal).

        Things get easier with Ansible Tower, as there's a full featured credential system in there. A minimal use of it would be to configure the jobs to prompt for a username/password at the beginning, or select

    • Yes, you definitely have heard it if you actually deal in security.
  • So my company has been implementing this PAW structure for the past four years. It's pretty much hell. We're also segmenting our management/administrative network from our basic "office work" network. Being a key member on this project means I get to be on 20 person conference calls with SME's arguing for three hours a day, three days a week for the past four years.
    • The best PAW I've used is a locked down laptop that runs a VM for user functions - and it can boot straight into the VM when you don't need those admin functions.
  • There are 3 ways I can see to interpret this:

    1. Windows is so leaky that you need physical separation.

    2. A ploy to sell more OS licenses because you need 2 PC's instead of 1.

    3. Both

    #3 reminds me of a company I once worked for. It was a chemical plant engineering company that merged with an environmental cleanup company. The merger then was actually getting paid to clean up their own messes.

    Contractors for special military contracts were ofte

  • What you play advanced computer games on.
    Enjoy the GPU and CPU support. What MS supports games creators with.
    Try any real OS for anything that's important.
  • a. Employees with administrative access should be using a separate device, dedicated only for administrative operations.

    b. Provide zero rights by default to administration accounts .. access for a finite amount of time and logs it in a system.

    c. Administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee's normal work identity.

    .. OR ...

    d. Boot from a Linux CD [distrowatch.com] and do your admin tasks from there.
  • And, indeed, let me reiterate something that I've been saying for years.

    To perform any kind of non-ordinary-user task on a machine (i.e. not inside, related to, or via a "user profile" of some kind, but actually on the machine itself - whether installing software that affects all users, adding drivers, updating the OS or whatever) you should NOT have to... log in as an ordinary user via the normal process but with special privileges.

    What you *should* be doing is switching the computer to a maintenance mode.

    • by MeNeXT ( 200840 )

      Nice wish list. Sounds more like magic than how computers work but I will point out the closest things to your description and it's the computing device I trust the least. My phone. I bought and paid it in full and yet don't have access to make any changes. I have no idea what the software does and no way to install anything on it to determine how my information is used. Yet we hear reports of malware creeping into the system. This single user system is the least trustworthy of all my systems. It's also the

    • by Dunkirk ( 238653 ) *

      All of this is swell if you handling classified state secrets. My company's departmental PowerPoint presentations on how little IT got done on the project this week aren't worth this sort of hassle.

      There's NOTHING at my company I think is worth this hassle.

      There's probably NOTHING at 90% of the companies using the recommendations in TFA that are worth the extra hassle.

      But SOMETHING has to justify the IT budget, and make users feel like SOMETHING is being done. And that's why our computers keep getting more

  • I am so sick of this.
    The corporation I woprk at is doing a lot of this stuff and it's killing the IT department, forcing to waste time with extra "virtual paperwork" and slowing the workflow with special requests for temporarly local admin rights to perform even the most basic functions when trying to fix a problem...

    • Your pain is largely caused by your company's bureaucratic implementation.

      It is possible to follow the guidance in with minimal disruption. Some processes may need to change, but it's not really bad.

      If there is a lot of paperwork for JIT privileges (and you use JIT privileges frequently), then someone screwed up. I don't know where the blame lies because I don't know your company. Plus, Microsoft's guidance does not exclusively recommend JIT privilege assignment; there are alternatives.

      Of course, your exper

  • Microsoft has recommended this practice for a long time as a mitigation of pass-the-hash attacks [microsoft.com].

    If you are accessing the internet and managing your servers from the same OS... you are doing it wrong. This isn't just a Microsoft thing either, although it is critical in a primarily Windows environment.

    There are free virtualization options. Or, for the most basic solution, extra admin workstations are a drop in the bucket compared to most corporate infrastructure.

  • You don't need a separate device, you need a separate container, having extra devices for intentional over complication doesn't increase security, it creates extra points of risk and failure. Having automatic privilege deescalation is a surprisingly good idea, coming from Microsoft, but it's not new and isn't insightful, most Linux admins I know, including myself, have been doing this for years.

    The best moves you can make for security are going Open Source as much as possible, having code and infrastructur
  • My company makes developers use a separate account for privileged operations. So I wind up entering a second set of credentials several DOZEN times a day. I literally just spent an hour and a half fighting this to try Elasticsearch. Ultimately, there was so much confusion caused between installing under the privileged account, and running it under the normal account, that I finally just uninstalled it, downloaded the zip, and ran in by hand in a command window. (Thank goodness the Elastic guys offer this so

Keep up the good work! But please don't ask me to help.

Working...