I outsource my IT surely I don't have to worry about administrative accounts?
Any organisation should be in control of their admin access for access and management of any system. This isn't something you should or want to "Outsource" completely as these are the most critical of your accounts, with the most unrestricted access and those which can lead to the biggest disasters, if compromised, lost or misused.
Managed Services Providers
Whilst many people will "outsource" their IT to Managed Service Providers (MSP's) who will look after every aspect of their IT in terms of admin, you still need to have control of those accounts, in that, you need to ensure that each engineer with your MSP has their own account (no shared accounts - a basic requirement of Cyber Essentials) and you know that these are being effectively managed and controlled.
Things to check
- Do you review, with the MSP, who at their end has an account?
- Do you check that the MSP has removed any old engineers accounts (leavers)?
- Is auditing enabled to ensure you know who is accessing systems and making changes?
- Do you have some form of change control in place to ensure that changes are authorised?
(Maybe pre-authorised, such as patching, password resets and then other changes via service tickets with the MSP who can authorise certain types of changes and then finally, changes that require your authorisation as well - such as granting admin access) - Do you review those changes periodically to ensure you have control over your infrastructure, data and systems and understand what is happening to those systems?
- Do you require multi-factor authentication, where its available?
(And ideally required for all cloud services by January 2023) - Do you ensure that your MSP doesn't have a direct link into your network (no-always-on VPN connected for example)?
Account Separation for Users / Admins
Unique Admin Accounts (local or domain)
Internal Admin
If you use an internal team (or indeed supported, also, by an external team such as an MSP) you need to follow the same process for management and control.
- No shared accounts (admin or user)
- Administrators only use their account for Admin changes and generally via elevation and not interactively logging into the platform they are changeing.
- Multi-Factor Authentication where available
- Any "single access" passwords, ideally protected within a password vault that doesn't ever expose the password (i.e. multiple secure use by several admins with no-one actually knowing the password that is in reality shared)
Account Separation for Users / Admins
Unique Admin Accounts (local or domain)
My users need to be admins as well!
Something we hear a great deal, especially from IT personnel or Developers, however, this really isn't the case and really isn't sensible either.
No-one should have an admin account unless its absolutely essential and this includes access to their local machine - why would they need that, you should be managing the applications and software installed and in use, therefore, a user, doesn't need to make any changes.
If those users (developers/IT) need more "change control" over their machine, we suggest that should be delivered using Virtual Machines (e.g. Oracle VirtualBOX which is free) allowing them to have an isolated machine instance, not able to talk to their local machine (the device its running on) but an environment that doesn't have any of your data, but does allow them to "test" applications and other systems, as such, a SandBox. With this method, YOUR corporate data and machines, are always safe from harm and fully controlled.
If you have to provide local admin access to individuals to their machines, you should ensure that they do not use these on a day to day basis and utilise the account only when needing to elevate some access for a specific task.
Account Separation for Users / Admins
Unique Admin Accounts (local or domain)