0

It's my understanding if you're logged into your Windows PC as DOMAIN\DUDE.NAME

and you have access to \DOMAINFILES\SECRET STUFF\SUPER SECRETS.xlsx

any process you run can also access that file - there is no easy way to "launch process without access to [insert entities here]".

So when DUDE.NAME runs, for a random example, a video conferencing software (that doesn't require admin, so they aren't admin), it's still running as their user account, and effectively could access network folders behind the scenes and steal data.

What is the industry best practice for this? Do you simply run this risk? I find executives want easy access to their secret files but want to be able to run programs they obtain from the web. Maybe they download "Easy Tax Calculator!" which doesn't need admin, simply runs as their account, gives them a crappy interface long enough to run code in the background to steal data and send it off.

user72599
  • 1

2 Answers2

1

The best practice is exactly the same as for every privileged account (administrator, root, etc.): don't use it as a standard account.

All you need to do is NOT grant access to the DUDE.NAME account to the sensitive data and use HIGHSEC.DUDE.NAME instead.

You can effectively couple that with some form of isolation if necessary. For instance, you can require the user connect to a termnial services server using the HIGHSEC.DUDE.NAME account in order to access the sensitive data.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • This is a good answer, as it effectively grants the permission to only the app/process that you do a "RunAs" or "Run As Administrator" on. Granted, if you have multiple processes that are masquerading credentials for the super-user, then you are back to Square 1 (though with only a subset of apps instead of all of them). – armani Apr 16 '15 at 15:11
1

Short version:

  1. You want Mandatory Access Control
  2. Real-world Industry Best Practices use of MAC is rare
  3. The use of bastions is the most common widely-accessible alternative

Long version:

The ability to apply fine-grained controls over not only the users but the processes able to access data is generally only found in Mandatory Access Control systems. Such systems are historically used, for example, to ensure that data with differing government/military classification levels are not inappropriately leaked across classification boundaries.

These systems are generally only seen in government, military, and defense contracting where classification is taken very seriously. "Regular" businesses don't support that level of red tape.

There are various implementations of MAC available to you. Cisco Security Agent used to allow you to do exactly that; say that \DOMAINFILES\SECRET STUFF\SUPER SECRETS.xlsx could only be accessed by C:\Program Files\Microsoft Office\excel.exe and not C:\Program Files\Microsoft Office\outlook.exe. Unfortunately, Cisco killed CSA :*

One workaround you'll see is the use of bastion hosts or bastion environments. For example, a company might block access to their bank from regular workstations, but permit it from a bastion host (RDP or Citrix) which finance employees must log into in order to perform sensitive transactions (e.g., wire tens of thousands of dollars). The browser on the bastion is only used for this purpose, and is therefore less likely to become infected with malware that will capture and forward the bank credentials. The user's desktop browser can still be used to browse the Internet, with all the inherent dangers, without fear of exposing the higher-value transactions to malcode.

It might interest you that non-traditional systems are playing with other concepts of access. In Android, for example, each application is installed and run as a different user id, and access across application ids is not granted by default.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198