Limiting privilege is a process, not an event

Back to Blog
24Mar2020

Limiting privilege is a process, not an event

In some past blogs I have highlighted the importance of devices in your security, management and compliance journey. Why do I harp on that? Because it is the starting point.

The mantra takes various forms, but basically you cannot protect what you cannot see. This applies to devices of course, but also to applications. However, it is difficult to progress to managing applications if you don’t have inventory and control of devices. Without the complete picture of devices, you lack the complete picture of apps in use on those devices. That’s why devices come first.

But applications are second. You have to establish a good inventory AND control of your software so that you can move closer to your ultimate goal: removing administrative privileges so that your users DO NOT install their own software and cannot elevate their session to allow apps to change anything about their device.

Why limit privilege?

Truthfully, I have waffled a bit on this point. Yes, there are modern tools available that can help us to reduce attack surface (e.g. Exploit Guard) and do some other things like isolate web browser sessions in Hyper-V containers (Application Guard). And yes–these things would allow you to minimize certain types of common risks without necessarily removing admin rights… but the very best way to mitigate your risks to the highest extent possible still boils down to removing admin privilege on end-user devices. It’s difficult to argue on this point.

Now that doesn’t make the endpoint bulletproof, but man it really makes life for attackers more difficult. If they get onto an endpoint and find out they have full control and admin privilege, they just get so many more degrees of flexibility and options for moving around–so why let them live off the land like that? If you settle for less than this, you are accepting a higher level of risk, even if you have an EDR and all the other fanciness that I mentioned above.

But the number one reason IT admins don’t take away privileges is that they simply do not know what the users need or might need in order to be productive. What if they take away privilege and then the user gets stuck, what if they can’t can’t get the software they need when they need it?

Two problems: technical and non-technical

There are really two issues at play here.

  1. Admins and the primary stakeholders in the business don’t even know what’s out there and why (Shadow IT), and therefore have no control over the software in their environment
  2. There is no corporate guidance around what apps to use (approved) and what apps to avoid (non-approved), as well as no approval process for new apps that are wanting to come into the fold

And so the solution here really needs to address both aspects. We can help the business implement some tools from a technical perspective–and that’s what I’m going to discuss in my next article–but ultimately the business must develop a written policy and procedure that is communicated out to the org: what is our standard, approved tool-set, and how do we deal with outliers or new requests? It doesn’t have to be highly complicated but you need management buy-in to deploy and enforce the policy effectively.

3,2,1, Lockdown

The other big thing to understand here is that you cannot jump from zero visibility all the way into lock down mode. Generally that is going to be begging for headaches and chaos on your support desk and bad user experiences; not to mention your efforts won’t be effective anyway if you don’t have an accurate inventory up front. In short: try to be smart about how you move folks up the security maturity chain.

This is why my (recently updated) Windows 10 Business guide includes a spectrum of security profiles, from Standard/Low to Enhanced/Medium and finally High. But note that you can (and probably should) put very high risk or highly privileged users, including your tenant administrators, on the highest security profile quickly. So called lower-risk or standard-risk users can start out at a lower tier. Your goal, ultimately, should be to remove local admin privilege everywhere that you can. But build to it.

You and other admins should “go first” and feel the full effects and experience of running without admin locally, and having more controls placed against the device. This means turning up the Defender settings to the max–all the attack surface reduction rules and other features.

Besides limiting the “local” attack surface for users who have the broadest amount of privilege at a “global” scale, this will also give you a chance to appreciate the impacts on end-user experience. Now you will understand the controls fully before asking your co-workers and/or customers to wear the same yoke, as it were.

Alternative solution?

Another solution that I’ve seen gaining popularity is the idea that endpoints are kept as ephemeral as possible, and you just burn them to the ground as frequently as you can (even daily) and start over again.

See the source image
Stole this from a Tweet I saw recently, but can’t find it now to give author credit…

Maybe this gives users a bit more flexibility on the devices throughout any given day or session, but the effect on attackers is that they cannot establish footholds or persistence on the device, which is a frustrating experience to say the least.

That’s cool–if you can make that kind of strategy work using your corporate endpoint management tools then go for it. But the pre-requisites for achieving this kind of result are still exactly the same–even if the device is more static, and less ephemeral:

  1. Inventory and control of hardware devices
  2. Inventory and control of software / applications
  3. Patching/continuous vulnerability management

You would have no way of wiping and reloading frequently, or removing session data and starting each day out fresh, without first having control of those endpoints and without a complete list of software that is needed on the endpoint for productivity.

That’s enough for today

I believe that I have probably already beat the idea of device compliance to a pulp on this site–in short: Conditional Access in Microsoft 365 helps to ensure that if your device has access, it is in the inventory and under control by Intune a.k.a. Microsoft Endpoint Manager. And that takes care of that first step we talked about: devices.

In another post, I’ll show you some of the many ways we can get a handle on the apps in our environment using various tools in Microsoft 365. In this regard, I don’t think I’ve done an adequate job of covering the breadth and depth that we have available to us yet. But note: not all of these capabilities are available right out of the gate with the Business SKU; nevertheless add-ons from the Enterprise space are available to help you fill in gaps as needed with some important recent announcements that make this even more attractive.

Technical , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

15Aug

Find out why Windows Server 2016 Essentials Experience still matters

Upcoming Windows Server Essentials Experience Series For many months now, I have been playing around with the Windows Server 2016 Technical Previews, especially the Essentials Experience role. You might ask: Why? Does the Windows Server Essentials product matter anymore, now that we have Office 365 and have moved well past the... read more
11Jan

Why a “Hybrid” or Remote Move Migration is Always the Right Choice

True, hybrid does require more up-front configuration, and of course there are those pesky pre-requisite requirements of having Exchange 2010 or 2013, as well as Azure AD Connect for Directory Synchronization. But the benefits do outweigh these concerns—trust me. The overall time commitment to your migration project... read more
Limitations with MDB Standalone
02Jun

What are the limitations with Microsoft Defender for Business Standalone?

Most of my readers will already be familiar with Microsoft Defender for Business (MDB), which is included with Microsoft 365 Business Premium. And a majority of those will be deploying MDB as one part of a broader security solution which includes other services within the... read more
01Mar

Limiting privilege in Microsoft 365 Business

One of the most important things you can do for boosting your security posture on any technology platform (Microsoft or otherwise), is limiting administrative privilege. We have long known that any given user should really only have enough access to do their jobs, and nothing... read more
22Aug

Why MDM for Office 365 may be obsolete, with updates to Exchange Active Sync

Disclaimer: This is not breaking news, what I am about to describe has been available for a while, but I just haven't gotten around to blogging about it. Previously I wrote about MDM for Office 365, and I had to update that article since Microsoft... read more
01Jun

My Essential Checklist for Settting up any New Windows 10 Pro Device

This post features the things I do when setting up any (personal) Windows 10 Pro device, whether it's for myself, my family members, clients, or anyone really. I usually do these things with security / compliance in mind--but some of it comes down to preference (I think... read more
14Mar

Office 365 Email encryption vs. Rights Management templates

This is a four-part post on Azure Rights Management for Office 365. The Azure RMS service is a powerful tool that we can use to prevent data leakage and share information securely with users inside & outside of the organization. Follow along as we explore how to: Activate Azure Rights Management... read more
20Sep

How to enable auditing in Exchange Online

Microsoft 365 has a powerful Security & Compliance center that is becoming cooler every quarter that goes by. However, one rather important piece to understand is that auditing (logging of certain activities) is not turned on by default. They are in the process of updating... read more
22Nov

Updates to my Exchange Online and Office 365 ATP scripts

Just a quick note--this week I updated the Exchange Online and ATP scripts that I publish and use to provision new tenants--to fall more in line with the new best practices that were published by the Exchange Online Protection and Office 365 ATP teams.* You... read more
30May

Automate the deployment of a standalone Hyper-V host server using PowerShell

In this article, I wanted to document a standard, standalone Hyper-V server deployment for a small business using nothing but PowerShell. The best practices for Hyper-V state that the role should be enabled on a server without the GUI (e.g. Core or Nano--although I rarely see this done in a small... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me