Restrict Privilege Escalation

Overview

Privilege escalation is the process by which an attacker acquires the ability to perform a greater variety of tasks on the organization’s information systems from those that they were able to perform when they gained an initial beachhead on the network. An example of privilege escalation would be for the attacker to start with access to the credentials of a standard user account and to use a variety of techniques to end up with a local administrator or greater privileges. The end goal of privilege escalation is to acquire full administrative privileges. In an Active Directory environment this would be the equivalent of the attacker gaining domain admin privileges.

Restricting privilege escalation is about limiting the ways in which an attacker can take a compromised unprivileged account. Methods of reducing the probability of privilege escalation include:

• Privileged access workstations
• Just enough administration
• Just in time administration
• Restrictions on administrative accounts

Just enough administration

Just Enough Administration (JEA) allows organizations to create special PowerShell endpoints that limit which PowerShell cmdlets, functions, parameters, and values can be used during a connection to the endpoint. Rather than having to use a specially configured administrator account to perform an administrative task, just enough administration allows for a standard user account to leverage a special virtual account when connected to the PowerShell endpoint. JEA minimizes the chance of privilege escalation by allowing standard accounts to perform extremely limited privileged tasks only when connected to specific PowerShell endpoints.

Just in time administration

Just in time administration is a technology where administrative privileges are provided only for a limited amount of time. When not granted administrative privileges, accounts only have standard user privileges. It is also possible to have those limited time privileges only granted subject to approval by another person. Just in time administration makes privilege escalation difficult because privileges are time limited, subject to request and approval where necessary, and can be limited in scope. Just in time administration can be combined with JEA.

Restrictions on administrative accounts

One way of limiting the possibility of privilege escalation is by restricting where administrative accounts can be used. For example, only allow administrative accounts for sensitive servers to be used on PAWs or those sensitive servers, do not allow those accounts to be used to sign on to servers or workstations that aren’t sensitive. You can also configure sensitive administrative accounts so that they can only be used at certain times of the day.

In highly secure environments, administrative accounts can be further limited by implementing an Enhanced Security Administrative Environment (ESAE) forest. In this model, the only accounts with administrative privileges in the production forest are standard user accounts that are stored in the privileged forest.

The production forest has a one-way trust relationship with the privileged forest. This means that accounts from the production forest cannot interact with the privileged forest. An attacker that compromises an account in the production forest cannot elevate privileges as that would require the ability to create or modify accounts stored in the privileged forest, which is impossible because the privileged forest does not trust the production forest.