• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Multiple admin accounts

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Multiple admin accounts

    Looking for some thoughts from the collective.
    So where I am currently working, engineers have anywhere between 2 to 4 admin accounts. First time I have seen this. It is spllit into:

    Local Admin Account
    Remote Admin Account
    Domain Admin account
    Cloud admin account

    Depending on your role you could have up to all of these, plus your normal network log in.

    Is this not overkill? Or is it best practice?.
    Its the first time I have seen something like this.

    As part of our Cyber security review we are now tasked with ensuring all are MFA enabled. Now the cloud accounts are in Azure, we have Azure MFA. Happy days.

    Senior mgmnt are now want another MFA solution to manage MFA on the other admin accounts. My argument is we dont need them. Consolidate to one admin account that is synced to azure, MFA enabled and appropriate permissions set. Job done.



    #2
    Very much depends on the context.

    Why was it set up like this to begin with?
    What are the risks they are mitigating by doing this?
    What is their risk appetite?
    Are they operating in a heavily regulated area?
    What is the threat profile for the business?

    For a small business making commercial widgets it's probably over kill.

    For a business operating in Defense, Civil Nuclear, CNI, global finance etc it's probably appropriate.

    Be careful trying to argue for change without understanding the reasons for the existing setup. You may be right and they can consolidate, simplify and make some savings, you may end up exposing your ignorance and looking silly.

    "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

    Comment


      #3
      Originally posted by DaveB View Post
      Very much depends on the context.

      Why was it set up like this to begin with?
      What are the risks they are mitigating by doing this?
      What is their risk appetite?
      Are they operating in a heavily regulated area?
      What is the threat profile for the business?

      For a small business making commercial widgets it's probably over kill.

      For a business operating in Defense, Civil Nuclear, CNI, global finance etc it's probably appropriate.

      Be careful trying to argue for change without understanding the reasons for the existing setup. You may be right and they can consolidate, simplify and make some savings, you may end up exposing your ignorance and looking silly.
      Thanks DaveB,

      Business is in manufacturing. Nothing like defence or highly sensitive.
      It was set like this as they didnt know any better. Their thought process was if someone gains access to one set of credentials, they may have access to one platform (i.e. On-Prem or cloud) but not the rest. It was to set up security boundaries. Its kind of a if it aint broke dont touch it mentality here rather than looking to improve.

      This was pre cloud/azure/office 365 days whereas we are now more in a hybrid state.

      The side I am coming from I guess, to meet our cyber sec requirements we need MFA on all admin accounts. Wouldnt it be easier to consolidate, simplify and use one MFA solution rather than having to manage multiple MFA solutions for different accounts.

      Appreciate the response.

      Comment


        #4
        Originally posted by MonkeysUncle View Post

        Thanks DaveB,

        Business is in manufacturing. Nothing like defence or highly sensitive.
        It was set like this as they didnt know any better. Their thought process was if someone gains access to one set of credentials, they may have access to one platform (i.e. On-Prem or cloud) but not the rest. It was to set up security boundaries. Its kind of a if it aint broke dont touch it mentality here rather than looking to improve.

        This was pre cloud/azure/office 365 days whereas we are now more in a hybrid state.

        The side I am coming from I guess, to meet our cyber sec requirements we need MFA on all admin accounts. Wouldnt it be easier to consolidate, simplify and use one MFA solution rather than having to manage multiple MFA solutions for different accounts.

        Appreciate the response.
        Hmmm.. Without getting to deep in the detail (I designed high-level secure environments but not the technology and process details to support them!), I agree that an SSO user account is preferable for several reasons, but I would have added a secondary layer at the head of each major platform, keyed to individual user IDs. You would, however, still need a master account to change those permissions as necessary, so if the admin for Platform A went under a bus, someone (or better, at least two someones) could let someone else in.

        As with all such things, it's the management process that's the hard part...
        Blog? What blog...?

        Comment


          #5
          The idea of having separate standard accounts and admin accounts is to reduce the risk. E.g. if you're logged in as domain admin to check your email, browse the internet, etc. then an attacker could potentially get full control over your entire network. Likewise, if you need to install new software on a PC, you only need local admin rights rather than domain admin rights, so different levels of admin accounts fits in with the principle of least privilege. However, the problem then becomes that you either have a separate local admin account for every client or you have 1 account with admin rights on every machine, at which point an attacker could still do a lot of damage with it.

          There's a book called "Protect Your Windows Network" (ISBN 0-321-33643-7) where the authors say that you should never log in to a client machine with admin rights, i.e. all software should be packaged via something like SCCM and managed centrally. That seemed a bit ambitious in 2005 when the book was published, but I think it's a bit more attainable nowadays. If you can achieve that, you don't need a local admin account.

          There are also "just in time" privileges, e.g. with PIM for Azure AD. E.g. you might be allowed to take on role X, but you have to explicitly request it, and say how long you want it for. When that time elapses, you lose the permissions until you request it again. So, if you ran a dodgy macro by mistake (without going through the PIM process), the malware wouldn't have those privileges.

          Comment


            #6
            Originally posted by MonkeysUncle View Post
            Looking for some thoughts from the collective.
            So where I am currently working, engineers have anywhere between 2 to 4 admin accounts. First time I have seen this. It is spllit into:

            Local Admin Account
            Remote Admin Account
            Domain Admin account
            Cloud admin account

            Depending on your role you could have up to all of these, plus your normal network log in.

            Is this not overkill? Or is it best practice?.
            Its the first time I have seen something like this.

            As part of our Cyber security review we are now tasked with ensuring all are MFA enabled. Now the cloud accounts are in Azure, we have Azure MFA. Happy days.

            Senior mgmnt are now want another MFA solution to manage MFA on the other admin accounts. My argument is we dont need them. Consolidate to one admin account that is synced to azure, MFA enabled and appropriate permissions set. Job done.

            Best practice would be to use PIM, with one account.
            See You Next Tuesday

            Comment


              #7
              Originally posted by Lance View Post
              Best practice would be to use PIM, with one account.
              Bumping this, I came across a relevant article recently:
              Secure access practices for administrators in Azure AD | Microsoft Docs
              "Global Administrator (and other privileged groups) accounts should be cloud-only accounts with no ties to on-premises Active Directory."
              I.e. the Azure global admin should be "[email protected]" rather than "[email protected]".

              Regarding PIM, you need to have the Global Reader role just to log into the portal (in order to request/assign another admin role), and that's probably more than you want for everyday activities. Also, on-prem admin roles don't support PIM.

              By implication, that means that the on-prem domain admin accounts won't be used for Azure admin, and therefore they shouldn't be replicated to Azure AD at all. (I.e. there should be a filter within Azure AD Connect which excludes those accounts, based on group membership.)

              Comment


                #8
                Originally posted by hobnob View Post

                Bumping this, I came across a relevant article recently:
                Secure access practices for administrators in Azure AD | Microsoft Docs
                "Global Administrator (and other privileged groups) accounts should be cloud-only accounts with no ties to on-premises Active Directory."
                I.e. the Azure global admin should be "[email protected]" rather than "[email protected]".

                Regarding PIM, you need to have the Global Reader role just to log into the portal (in order to request/assign another admin role), and that's probably more than you want for everyday activities. Also, on-prem admin roles don't support PIM.

                By implication, that means that the on-prem domain admin accounts won't be used for Azure admin, and therefore they shouldn't be replicated to Azure AD at all. (I.e. there should be a filter within Azure AD Connect which excludes those accounts, based on group membership.)
                You don't need any role to access PIM unless the tenant has been set to prevent normal users from seeing Azure (not default setting). If you were restricted to usig PIM for only global readers that would defeat the purpose of PIM.

                Cannot comment on the other points as I always use cloud accounts for admin roles.
                See You Next Tuesday

                Comment

                Working...
                X