It was once normal for Windows users to be local administrators on their machines, mainly because the Microsoft Windows developer ecosystem needed administrator rights to run software. The introduction of User Account Control (UAC) with Windows 7 was controversial. It was a long-term program to eliminate the need for developers to have administrator rights when running software. We’ve since come a long way to where people realize that we can no longer run our machines with administrator rights.
If you are still struggling for justifications for why you shouldn’t run your Windows machines with administrator rights, a recent Twitter post by Sean Metcalf listed several reasons:
- It makes it easier for an attacker to get a foothold on that system simply by compromising that account. The attacker now has local administrator rights and can dump Local Security Authority Subsystem Service (LSASS) and local Service Management Automation (SMA) for more credentials.
- It makes logging more complicated. If all users do not have local administrator rights, you can monitor for suspicious privileged access activity using the “authenticated as local administrator” event (event 4672). If all users are administrators, monitoring for this and related events is useless.
- When the user has local administrator rights, ransomware has all the access it needs to totally brick the system.
- If all workstations share the same local administrator password, then the compromise of a single user account results in the compromise of all workstations. These actions are likely to be done in minutes. To solve this issue, put in place a solution such as Local Administrator Password Solution (LAPS).
UAC security concerns
Relying on UAC on Windows 7 and Windows 10, however, is not enough. Attackers can use tools such as UACMe to gain access to a system. UACMe abuses the built-in Windows AutoElevate backdoor. UAC is not a security boundary. As Raymond Chen noted, “UAC is not a security feature. It’s a convenience feature that acts as a forcing function to get software developers to get their act together.” UAC was introduced as a process to move the ecosystem away from demanding administrator rights on a system. Don’t be complacent and understand that attackers know more about these weaknesses than you do.
Azure is not immune from the need to control and protect administrators. Instead of local administrators on workstations, you need to monitor the use and protection of global administrators. As of August 2019, Microsoft had identified that only 8% of global administrator accounts were protected with multi-factor authentication. Without MFA an attacker can use a password spray attack to take over a global administrator role.
A further attack concern includes elevation of rights of an Office 365 global administrator. As Metcalf wrote in his blog, if an Office 365 global admin account is compromised, the attacker can toggle a role called “Access management for Azure resources”. Toggling this access in the admin console adds the account to the user access administrator role in Azure RBAC at the root scope (which has control over all subscriptions in the tenant).
To better protect the global administrator role, monitor the Azure AD global administrator role for changes and enforce MFA on all accounts that have the global administrator role. You also want to make sure you have the proper licensing. An Azure AD Premium 2 license is needed to add Azure AD Privileged Identity Management (PIM). Alternatively, you can obtain PIM access with an E5 license.
Enable Privileged Identity Management
PIM adds the following privileged access management (PAM) protections to your global administrator accounts:
- Provide just-in-time privileged access to Azure AD and Azure resources.
- Assign time-bound access to resources using start and end dates.
- Require approval to activate privileged roles.
- Enforce MFA to activate any role.
- Use justification to understand why users activate.
- Get notifications when privileged roles are activated.
- Conduct access reviews to ensure users still need roles.
- Download audit history for internal or external audit.
As Microsoft states:
“Privileged access management is enabled by configuring policies that specify just-in-time access for task-based activities in your tenant. It can help protect your organization from breaches that may use existing privileged administrator accounts with standing access to sensitive data or access to critical configuration settings. For example, you could configure a privileged access management policy that requires explicit approval to access and change organization mailbox settings in your tenant.”
To enable PIM:
- Launch the Azure portal.
- Go to “Privileged Identity Management”.
- Go to “Azure AD Directory Roles – Overview” and click on “Wizard”, which will walk you through the process.
Think of PIM as an automated approval process and having your system make sure that only those people that should be accessing a process is really accessing it. Each sub-administrator of a process will be mandated to obtain access through an approval process.
Susan Bradley
Setting roles in PIM
When setting up the just in time management approval process, review how long the access activation will stay in place. Keep this low, but not so little time that your administrators will be rushed to complete tasks. PIM allows you to track administrative users in Azure AD, Office 365 and Microsoft Intune.
Set up MFA for Office 365 users
FInally, enable MFA for all Office/Microsoft 365 users, whether or not they have administrator or global administrator rights. You can implement two-factor authentication with tools including physical keyfobs or tokens, SMS messaging, office phone number call back, or an authentication application. You can use Microsoft’s or Google’s authentication app as your preferred virtual token.
Your key take-away should be to implement MFA. Your account is more than 99.9% less likely to be compromised if you use MFA. Are they foolproof? No, but doing any form of MFA takes you out of reach of most attacks.