Remote system administration provides powerful and flexible access to systems and services. But, with great power comes great responsibility. If an attacker is able to compromise these management interfaces, they will often inherit full control of your systems. This is a common area of high risk, one we see again and again.
Thankfully, there’s a relatively new approach to help reduce this risk. It’s called Privileged Access Management, or PAM. This blog post aims to highlight the risks of remote system administration and raise awareness of how PAM can help.
Remote adminstration
There are a number of approaches to what we call ‘Remote Administration’. When running a system or service, you’ll probably need the ability to log into the components that underpin it. You might use technologies such as SSH, RDP or PowerShell to run commands on a server. Or your administration functions may be conducted through a web-based dashboard or management client, enabling such actions as software installation, configuration and debugging.
Any of these approaches is ‘normal’. But, in order to be effective, remote administration requires high privileges. ‘Root’, ‘administration’ and ‘superuser’ are common terms we use to reflect the level of access required. With such access, services can be turned off, their intended operation changed or sensitive information modified or downloaded. Attackers know the kind of power which comes with these privileges and consequently target such users and accounts.
Imagine what would happen if an attacker were able to access your management interfaces? We’ve written about this before, discussing issues around attackers compromising devices used for remote management. I recommend you to read that post, but the main take-away is that you should use ‘Browse down’ for remote management, not ‘Browse up’.
Browse down vs Browse up management
Let’s quickly re-visit these concepts. The difference between the two centres on the environment and devices you use to access and perform system administration.
If an attacker is able to compromise your management devices, he or she may be able to inherit its administration access. They could then use your device, or devices, as a proxy to perform follow-on attacks.
- Browse up – You administer your systems from ‘low trust’ devices that are at heightened risk of being compromised, such as a personal home computer.
There are a number of factors that may reduce how much you should trust a device. Running as a local administrator increases the risk of accidentally installing malware. Accessing email on a device increases the risk of becoming a victim of spear-phishing. The browse up model is bad security practice.
- Browse down – You administer your systems from ‘high trust’ devices that have a low risk of being compromised. The device has properties that make you trust it more.
There are many factors which may help you gain trust in a device. Examples include platform lock-down, accessing email from a different environment, a non-persistent operating system and secure boot. Browse down is the recommended security model.
To summarise, browse up is bad for security and browse down is a more secure approach. We do pay a price for gaining this security though. More infrastructure is needed, and it can be a bit more of a pain for administrators to use. This is the classic security vs usability problem, finding a balance can be difficult. This is why browse up is so common.
Luckily, we do have another weapon in our defensive tool chest that’s gaining traction. It’s called Privileged Access Management, or PAM for short.
Introducing PAM
Let’s start with an analogy. There is a warden of a town and she sometimes needs to go into various buildings to perform warden duties. To do so, she needs a key. The traditional model of system administration could be compared to the warden owning a master key to every building of the town. She carries it around with her where ever she goes, even taking it home after work. It’s nice and easy for her to perform her duties, but let’s just hope she doesn’t lose that key! The warden is also a prime target for attackers because the master key is very valuable.
In contrast, Privileged Access Management may be compared to a process whereby the warden does not outright have a master key. Instead, she must walk into a carefully controlled office and request it. The receptionist recognises the warden, puts an entry into the log book and hands the key over to her. The key only allows the warden to enter the town hall and nothing else. She must return the key before the day is finished. This model sounds like a workable solution, its usable but also more secure. We can copy these principles for system administration.
If you haven’t guessed, in this analogy, the town is the system and the buildings are the components that make up that system. The office is a privileged access management solution, and the receptionist is authenticating the warden (administrator).
The request and return process is sometimes referred to as ‘Just in time administration’. Access is only granted when it’s needed, with a valid reason, and access expires. Instead of being given a master key, only the town hall key is provided. This is the ‘least privileged’ component and often referred to as ‘Just enough administration’. The entry in the log book is the audit. The audit events can then feed into a security monitoring strategy and be used to facilitate reporting.
In summary
Remote management interfaces and the devices used to perform these functions are extremely valuable to attackers because they grant exactly the type of access they’re looking for. So you need to protect them carefully.
Browse up is a bad security model, but is often used as it makes administration easier for staff to manage. Privileged Access Management (PAM) helps mitigate some of these risks. Browse down is better, and coupled with privileged access management, can really help you gain confidence in your management interfaces.
Toby W
Security Architect
Source: National Cyber Security Centre
