Professional Documents
Culture Documents
Pam For Windows Workstations White Paper
Pam For Windows Workstations White Paper
MANAGEMENT FOR
WINDOWS WORKSTATIONS
www.centrify.com
ABOUT CENTRIFY
Centrify is redefining the legacy approach to Privileged Access Management by
delivering cloud-ready Zero Trust Privilege to secure modern enterprise attack
surfaces. Centrify Zero Trust Privilege helps customers grant least privilege access
based on verifying who is requesting access, the context of the request, and the
risk of the access environment. By implementing least privilege access, Centrify
minimizes the attack surface, improves audit and compliance visibility, and reduces
risk, complexity and costs for the modern, hybrid enterprise. Over half of the
Fortune 100, the world’s largest financial institutions, intelligence agencies, and
critical infrastructure companies, all trust Centrify to stop the leading cause of
breaches — privileged credential abuse.
Offline Login 5
account? A local admin Think about what’s on the laptops of the CEO, the HR director, the software architect, or the
user. A user (Active CFO in any given organization. This may be information that doesn’t make it to servers, yet is
extremely sensitive and potentially as valuable to a threat actor as data on a file or database server.
Directory or local) account
For attackers, the path of least resistance in many organizations is the overuse of accounts with
in the Administrator’s
broad and deep privileges on Windows workstations. The unfortunate reality is that workstation
group. An Active Directory security too often focuses solely on the threat of malware and viruses but ignores the simple threat
Admins group.
Workstation as a Base of Operations
But it gets worse. The threats and risks rarely end at the individual workstation. Threat actors
will use it as a foothold from which to locate additional sensitive information within the broader
corporate network. They might typically wait for the workstation to be network-connected
(internally or through a VPN connection) in order to reconnoiter, scanning the network to create
a map of new candidate systems to breach.
Many open source tools exist to aid in these efforts, such as Mimikatz, to extract account NTLM
hashes from memory left behind by prior admin login sessions. These hashes can then be used
to move laterally to other systems, looking for more privileged accounts and to discover sensitive
data to exfiltrate and monetize.
The diagram below represents a hypothetical attack chain where a foothold on an end user
workstation could reasonably be the start of an attack. If that end user already has administrative
rights on the workstation – often the case that IT grants users’ local admin rights to their own
machine – then the threat actor gains a powerful initial foothold, if they’re able to compromise
that account.
A typical example being an end user clicking on an email link and visiting a spoofed web site.
Malware is downloaded and because the user is local Administrator, the malware executes in
the user’s security context, i.e., with those same local Administrator rights. It’s then able to do
whatever the user can: run administrative commands; install software; create backdoor accounts;
access shared drives; exploit vulnerabilities on the system; etc.
Some IT shops are more judicious and won’t give the user access to this account, so the
workstation is less exposed. When the user needs administrative help, however, the IT helpdesk
team must step in to provide assistance, logging in with that account (or a Domain Administrator
account if the workstation is part of an Active Directory domain).
There’s a dirty little secret about local Administrator accounts in this scenario:
· They’re often assigned the same password on all Windows workstations across the entire
organization to make life easier for IT;
· Their password is often low entropy, i.e., simple and predictable for IT administrators to
remember; and
All this translates to much higher risk for the organization. So, if the password is phished or its
hash obtained (see Mimikatz above), the attacker can use it not only to log into the phished user’s
workstation with full administrative rights, but to all other workstations on the network.
The answer to this issue is privileged access management (PAM) for workstations. This technology
is not very much different to its equivalent on servers – PAM technology that you may already have
in place. However, there are a few nuances specific to workstations that don’t typically impact
servers.
One is scale – the number of workstations to servers is often an order of magnitude greater,
perhaps hundreds or thousands of workstations. So being able to centralize policies, roles, rights,
and administration is essential to avoid IT operational overhead, reduce privilege creep, and
ensure comprehensive security coverage.
Another is offline state; while servers are part of IT infrastructure and typically network-connected
at all times, workstations are often more mobile and off the network. The PAM controls must
continue to be equally effective in this situation.
Centrify Privilege Elevation Service (PES) in combination with Centrify Privileged Access Service
(PAS) enables you to control and secure the local administrator account on your organization’s
Windows workstations using the principle of least privilege. Least privilege is a simple concept but
unfortunately, it’s rarely followed. The impact of applying it correctly, however, greatly increases
security posture and reduces risk.
Diagram 2
Diagram 3
one that reflects, say, their internal departmental structure, their geographic
locations, or perhaps puts very sensitive resources (e.g., regulated systems
such as PCI-DSS) into their own Centrify Zone, one that has highly restrictive
controls around their access. It also supports inheritance so that more
generic roles, defined at a high level in the hierarchy, will be inherited by
all the Centrify Zones below it. This greatly improves security, reduces
administration, avoids duplication, and provides organizations with a much
cleaner governance and delegation model. (Diagram 4)
IT can manage these Centrify roles and rights from within Active Directory or
more conveniently, through Centrify’s UI – a Microsoft Management Console
snap-in that gives admins the same look and feel as the native AD tooling.
Offline Login
For a Centrify-managed workstation that is domain-joined or enrolled in the Centrify Privileged
Access Service (PAS), supporting offline login ensures availability of the workstation. Offline login
is used when the workstation can’t communicate to its domain controller or Centrify PAS. The end
result is the user can’t login to the workstation. (Diagram 8)
Diagram 8
Diagram 9
· Lock down all admin accounts by vaulting them in Centrify Privileged Access Service.
· Never allow use of vaulted admin accounts except in emergency break-glass situations.
· Leverage privilege elevation where necessary for end users and IT admins.
· Leverage access request tooling and workflow within Identity Governance and Administration
(e.g., SailPoint) or IT Service Management (e.g., ServiceNow) to grant temporary privileges.
· Follow a defense in depth approach to security. This means (e.g.) layering Centrify on top of
Endpoint Protection Platform technologies and Microsoft App Locker for white-listed application
execution controls.
Centrify Privilege Elevation Service delivers the flexibility IT needs while providing the security the
organization demands. This enables you to control the elevated permissions for desktop users as
part of your organization’s privileged access management program.