The process for managing administrative risk is as follows:
1. Recognize the vulnerabilities introduced by network administration.
2. Establish security boundaries. Understanding the security boundaries provided by
the operating system is essential in determining the scope of authority that administrators have. In addition to understanding where these boundaries are, you must
also understand when to apply them. To do so, you need to know the key concepts of isolation and autonomy as they relate to service administration and data
administration.
3. Reduce the administration attack surface. Reducing the attack surface is a sound
security design principle that can be applied to any part of your security design. If
you can reduce the number of things that can be attacked or the avenues that can
be used to attack them, the network will be more secure. Reducing the attack surface can take many forms, but one of the easiest things to do is to eliminate things
that are not needed. To reduce the ability of attackers to use administrative
accounts and channels to attack networks, reduce the number of things in total
that administrators must manage and reduce or partition the scope of their management by delegating authority. While these actions are also examples of least
privilege, they illustrate a reduction in the attack surface quite nicely. If the administrator's account were to be compromised, the attacker would have less ability to
do damage because the surface or range of things that can be attacked has been
reduced.
4. Evaluate and carefully judge your administrators. The people who are trusted
"with the administration of your network must be trustworthy. Although you can
limit authority, every bit of authority can be used to destroy important parts of
your systems and data. In addition, at some point, someone must have absolute
authority to keep systems running, correct errors introduced by others, trouble-
shoot problems, and so on. Checking the backgrounds of potential administrators
and repeating the process periodically is crucial to the survival of your information
systems.
5. Monitor and audit administrative work. Administrators are people: they make
mistakes, they have needs and desires, they face temptations, and they are as
likely to want to harm systems as any other employee. The difference is that
administrators have the power and authority to harm systems easily. Often
because an administrator has unlimited privileges, an attacker with administrative
credentials or a malicious administrator can prevent operations from being audited
or can delete the audit record of his activity by deleting the security log.
The following topics provide the information and guidelines you need to complete most of these tasks.
Note Evaluating the trustworthiness of administrators is beyond the scope of this book, but it must be done. It is a topic for the legal and human resources departments of your organization to pursue. You can, however, protect your network from untrustworthy administrators by ensuring sound security principles are practiced, by designing an Active Directory infrastructure that meets your autonomy and isolation needs, and by auditing the actions of administrators. Auditing is discussed in Chapter 9.
About us