Blog post

Protecting system administration with PAM

Created:  15 Aug 2018
Updated:  15 Aug 2018
Author:  Toby W
Protecting system administration with PAM

Remote system administration provides powerful and flexible access to systems and services. But, with great power comes great responsibility. If an attacker is able to compromise these management interfaces, they will often inherit full control of your systems. This is a common area of high risk, one we see again and again.

Thankfully, there's a relatively new approach to help reduce this risk. It's called Privileged Access Management, or PAM. This blog post aims to highlight the risks of remote system administration and raise awareness of how PAM can help.

Remote adminstration

There are a number of approaches to what we call 'Remote Administration'. When running a system or service, you'll probably need the ability to log into the components that underpin it. You might use technologies such as SSH, RDP or PowerShell to run commands on a server. Or your administration functions may be conducted through a web-based dashboard or management client, enabling such actions as software installation, configuration and debugging.

Any of these approaches is 'normal'. But, in order to be effective, remote administration requires high privileges. 'Root', 'administration' and 'superuser' are common terms we use to reflect the level of access required. With such access, services can be turned off, their intended operation changed or sensitive information modified or downloaded. Attackers know the kind of power which comes with these privileges and consequently target such users and accounts.

Imagine what would happen if an attacker were able to access your management interfaces? We've written about this before, discussing issues around attackers compromising devices used for remote management. I recommend you to read that post, but the main take-away is that you should use 'Browse down' for remote management, not 'Browse up'.

Browse down vs Browse up management

Let's quickly re-visit these concepts. The difference between the two centres on the environment and devices you use to access and perform system administration.

If an attacker is able to compromise your management devices, he or she may be able to inherit its administration access. They could then use your device, or devices, as a proxy to perform follow-on attacks.

  • Browse up - You administer your systems from 'low trust' devices that are at heightened risk of being compromised, such as a personal home computer.

There are a number of factors that may reduce how much you should trust a device. Running as a local administrator increases the risk of accidentally installing malware. Accessing email on a device increases the risk of becoming a victim of spear-phishing. The browse up model is bad security practice.

 

  • Browse down - You administer your systems from 'high trust' devices that have a low risk of being compromised. The device has properties that make you trust it more.

There are many factors which may help you gain trust in a device. Examples include platform lock-down, accessing email from a different environment, a non-persistent operating system and secure boot. Browse down is the recommended security model.

To summarise, browse up is bad for security and browse down is a more secure approach. We do pay a price for gaining this security though. More infrastructure is needed, and it can be a bit more of a pain for administrators to use. This is the classic security vs usability problem, finding a balance can be difficult. This is why browse up is so common.

Luckily, we do have another weapon in our defensive tool chest that’s gaining traction. It's called Privileged Access Management, or PAM for short.

Introducing PAM

Let's start with an analogy. There is a warden of a town and she sometimes needs to go into various buildings to perform warden duties. To do so, she needs a key. The traditional model of system administration could be compared to the warden owning a master key to every building of the town. She carries it around with her where ever she goes, even taking it home after work. It's nice and easy for her to perform her duties, but let's just hope she doesn't lose that key! The warden is also a prime target for attackers because the master key is very valuable.

In contrast, Privileged Access Management may be compared to a process whereby the warden does not outright have a master key. Instead, she must walk into a carefully controlled office and request it. The receptionist recognises the warden, puts an entry into the log book and hands the key over to her. The key only allows the warden to enter the town hall and nothing else. She must return the key before the day is finished. This model sounds like a workable solution, its usable but also more secure. We can copy these principles for system administration.

If you haven't guessed, in this analogy, the town is the system and the buildings are the components that make up that system. The office is a privileged access management solution, and the receptionist is authenticating the warden (administrator).

The request and return process is sometimes referred to as 'Just in time administration'. Access is only granted when it's needed, with a valid reason, and access expires. Instead of being given a master key, only the town hall key is provided. This is the 'least privileged' component and often referred to as 'Just enough administration'. The entry in the log book is the audit. The audit events can then feed into a security monitoring strategy and be used to facilitate reporting.

In summary

Remote management interfaces and the devices used to perform these functions are extremely valuable to attackers because they grant exactly the type of access they're looking for. So you need to protect them carefully. 

Browse up is a bad security model, but is often used as it makes administration easier for staff to manage. Privileged Access Management (PAM) helps mitigate some of these risks. Browse down is better, and coupled with privileged access management, can really help you gain confidence in your management interfaces.

 

Toby W
Security Architect

1 comment

Kevin Butler - 20 Aug 2018
Toby,
I like your analogy which does compare well with traditional vaulting of credentials.
It is a key message to get across to business owners and IT people that currently make use of "whiteboard vault", spreadsheet(s), "simple password wallets", brown envelopes, etc, are no longer acceptable mechanisms to store the "keys to the kingdom".

I would encourage every organisation to "update" to a modern Privilege Access Management solution, which should include not only the controlled vaulting of credentials, but also the "automated" login for the credentials for the Enterprise systems, applications and also "cloud based" services.

A PAM solution is also very good at providing controlled and monitored access for 3rd party IT support / Managed services organisations that provide day to day remote support.

Another point to make would be the "validation" of who can ask to use the "keys". Privilege Identity Management is a necessary requirement to "validate" the PAM users, the Admin users, the target accounts / credentials that are being used to "run the business". You need to be able answer the key questions, Who has access to what? Who approved the access? How was the access used?

Bottom line, as part of a wider IT security posture, PAM is a very effective capability to have and also provide savings for IT admins when configured to do credential management.

Many customers have also saved 6-8 hours of operations time a month on manual password rotation of service accounts.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No