Just-in-Time Administration

Mike Campbell, Senior IAM Consultant, SecureITsource, Inc.

From governments to software, all kinds of things need to be administered. Being an administrator means that you manage or support something, typically a part of a business or an organization and the tools that they use to complete their job. Administrators, sometimes referred to as admins, are typically given access to the full range of options for how to use software they’ve been given access to or have installed themselves. Typically, this is in the form of an Administrator account. Sometimes the admin uses this account to carry out all their normal tasks, not just their privileged ones. We’re going to look at why this is wrong, how we can protect these privileged administrator accounts, and what the concept of “just-in-time” administration is all about.

First, administrators should have a separate non-administrator account for carrying out their day to day operations. This is especially important for access to operating systems like Windows or Linux where users can perform a wide array of actions, including browsing and downloading things from the web. This increases the chances of the account becoming vulnerable to attack, not to mention that every attempt to log in to the account increases the chances of the session being compromised. Obviously, we do not want the accounts that have access to EVERYTHING in our systems to be compromised. This is what privileged account management is all about.

Just-in-time administration adds onto privileged account management by limiting the use of these accounts to a specific amount of time, such as 2 hours. Usually a justification and approval process must happen for access to be granted. The time allotted would be dependent on the task, but the goal is for access to this account to be limited to only when necessary.

There are a couple of ways to approach this. Most organizations use Windows on their PC’s and servers and Active Directory to manage these computers and their users. Windows Server 2016 specifically kicked up its efforts on securing administrative accounts by introducing just-in-time features to Microsoft Identity Manager. Microsoft Identity Manager allows you to set roles that users can request access to for a specific time on a certain date, and includes an approval process. What it is really doing is temporarily adding the user to another Active Directory group which has access to an administrative account using a new time-to-live feature.

This works best when using a secondary secure Active Directory forest for groups that have access to administrative accounts. Beyond that, Microsoft recommends a three-tier approach for handling administrative accounts where the first tier contains accounts that have full access to the environment, such as domain admins, the second is for accounts with administrative access to servers and applications, and the third is for administrative access to workstations.

Applying just-in-time concepts allows us to limit the use of administrator accounts to certain times, and protects the account from the typical vulnerabilities that intruders use to gain access to an organization’s environment. Setting up privileged access in such a way can limit attacks such as pass-the-hash, Kerberos compromises, spear phishing, and more.

This is all great in theory, however, a lot of organizations are not keen on managing multiple Active Directory domains and large enterprises still need more out of a privileged account management solution. Offerings from product vendors such as CyberArk’s Privileged Account Security suite have similar features as well as the ability to automatically rotate passwords, record sessions, and audit access to administrative accounts all under one domain. Regardless, it is nice to see Microsoft adding built-in security features to Active Directory, a piece of software many companies rely on to manage their employee’s access to systems and files.