Netherlands: Software

Introductie Windows Server 2016

Issue link:

Contents of this Issue


Page 126 of 173

117 C H A P T E R 5 | Security With these basics covered, we can move into more details about the strategy that underpins securing privileged access. Be aware that you will not achieve this strategy overnight, and this should be built as a progressive implementation so that the organization's practices can change and adapt to these new principles. As with most strategies, you need to establish short-, medium- and long-term goals. The following table describes the goals and the time frames you should use, and the areas of focus for each goal. Goal Time frame Description Short term 2- to 4-week plan Quick mitigation of the most frequently used attacks Medium term 1- to 3-month plan Build visibility and control of administrative activity Long term 6 months and beyond Build a proactive security posture Short-term plan For the short-term goal, it is critical that you mitigate the most frequently used attacks in any organization to provide a secure base. One of the first things you need to do is to establish separation of duties. This means that if you need to perform a privileged-access task, you should have an appropriate privileged-access account to carry it out. You should never grant your standard user account privileged access in a network to perform tasks. This account should always be considered a user. The privileged-access account you create for tasks can be audited and tracked in more detail. Because you maintain a different set of credentials for this account with stricter requirements, you will be able to mitigate an attack if your user account is compromised. Securing the local administrator account was previously done during deployment and was rarely changed after it was set. The password was usually kept the same throughout the entire estate of workstations, which led to a huge problem if the password was compromised. However, if you don't use the same password throughout the estate, you might have a more complicated problem trying to remember the unique password for each of the workstations. To help you manage the local administrator password for both workstations and servers, Microsoft provides a tool called Local Administrator Password Solution (LAPS). LAPS creates a unique password for each server and workstation in an environment and stores them in Active Directory as a confidential attribute in the computer object. They have an appropriate access control lists applied to them so that only the appropriate accounts can access them and retrieve them as necessary. For more information on LAPS, go to The final key part of the short-term goals should be focused around creating privileged access workstations (PAWs). PAWs are hardened workstations implemented specifically to act as a controlled point of administration to more secure systems. PAWs would be restricted from accessing the Internet or unsecure resources ensuring that their attack surface is to an absolute minimum. Only a restricted set of authorized users would also be able to sign in to the PAWs, which in turn would reduce the ability to attack secure part of the networks. For more information on PAWs, go to Figure 5-3 illustrates the steps that you can take as part of your short-term plan.

Articles in this issue

Links on this page

Archives of this issue

view archives of Netherlands: Software - Introductie Windows Server 2016