2

We are currently trying to enhance the security posture of our company, and this means changing how some IT personnel work.

Put precisely, our IT helpdesk currently have 2 separate accounts: 1 for normal day-to-day usage (mails, internet, etc...), and 1 for administrative tasks. The latter is a privileged account having several rights on the AD and some servers.

The way they work is not very secure when it comes to supporting the users: they use their privileged account to login to the user's workstation and perform tasks where admin rights are needed.

But my question is more accurately related to network drives being mapped in their privileged account's profile. They insisted on using the same logon script as with their standard account.

Do you have any recommendations, references to guidelines, and/or best practices in such a case? I'd like to present them some resources to convince them it's not secure to have network drives mapped in this profile.

I tried to explain to them that if they log in a 'contaminated' workstation, their privileges might spread the infection to the network... But they did not understand and argued they need to access some files on the network while assisting the users. They don't want to waste time typing UNC path, etc...

Fire Quacker
  • 2,432
  • 1
  • 19
  • 29
Ob1lan
  • 123
  • 5
  • Are the admin accounts templated in a way that makes it possible to tell if they're admin? You could modify the drive map script to mount drives with a read-only account when it detects an admin login. – user Jan 07 '20 at 14:39
  • I'm confused. Why is this a risk? If they need to access resources, then they would log in manually. How is the risk different if it is automatic? Are you thinking ransomware? – schroeder Jan 07 '20 at 14:46
  • @schroeder : ransomware are one major fear in this context. Usually, they don't need to access network ressources while using their priv account to support the user. So in most cases, the network drives are not usefull. In insist in a fact : they login the end-user workstation with the priv account... If this machine is infected, or if the IT staff click on a SPAM link or perform any other action that enable a virus, this could spread on the network drives. – Ob1lan Jan 07 '20 at 14:50
  • Then I'm not sure what else to say that you haven't. It's the mapped drive letters that are the risk. It's an open door for ransomware, if they trigger one. – schroeder Jan 07 '20 at 14:53
  • @schroeder thanks for your reply and confirmation. I'm more looking for offical guidelines stating that. Because the said IT personel won't just listen to us... They think we are beeing paranoid for implementing such 'policies'... I searched for best practices/guidelines on the net, but didn't find any satisfactory material to show them. – Ob1lan Jan 07 '20 at 14:55
  • 5
    The issue is that there isn't necessarily a "Best Practice". Security and usability can often be trade offs, and that is the inherent issue you are facing. They consider the convenience to them to be more important than the potential risk. Showing them "Best Practices" would be unlikely to change their mind in such situation. If they understand the risk, decide that it isn't worth the inconvenience, and management agrees, then you are unlikely to change their minds. Now if you get hit by ransomware and it spreads to network drives - **that** might change their minds. – Conor Mancone Jan 07 '20 at 15:02
  • 3
    I would simply show them the ransomware types that specifically look for network drives. Like Locky: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/ – schroeder Jan 07 '20 at 15:04

0 Answers0