El equipo de seguridad de Microsoft comparte sus recomendaciones sobre cuándo, cómo y dónde se deberían usar las cuentas de administrador

Un reciente post en el blog de Microsoft, el equipo de seguridad de la empresa compartió algunos consejos para mejorar la gestión de indentidad dentro de las empresas, prácticas que ellos mismos llevan a cabo dentro de su propia red interna y que recomiendan a sus clientes.

Si bien se trata de consejos orientados a las redes empresariales, no dejan de ser útiles e informativos para cualquier usuario, especialmente en el caso de las cuentas de administrador que tan libremente se usan en Windows por una gran parte de los usuarios.

3 investments Microsoft is making to improve identity management

  • Microsoft Security Team

As a large enterprise with global reach, Microsoft has the same security risks as its customers. We have a distributed, mobile workforce who access corporate resources from external networks. Many individuals struggle to remember complex passwords or reuse one password across many accounts, which makes them vulnerable to attackers. As Microsoft has embraced digital transformation for our own business, we shifted to a security strategy that places strong employee identities at the center. Many of our customers are on a similar journey and may find value in our current identity management approach.

Our goal is to reduce the risk of compromised identity and empower people to be efficient and agile whether they’re on our network or not.

Our identity management solutions focus on three key areas:

Read on for more details for each of these investment areas, advice on scaling your investment to meet your budget, and a wrap-up of some key insights that can help you smoothly implement new policies.

Securing administrator accounts

Our administrators have access to Microsoft’s most sensitive data and systems, which makes them a target of attackers. To improve protection of our organization, it’s important to limit the number of people who have privileged access and implement elevated controls for when, how, and where administrator accounts can be used. This helps reduce the odds that a malicious actor will gain access.

There are three practices that we advise:

  • Secure devices—Establish a separate device for administrative tasks that is updated and patched with the most recent software and operating system. Set the security controls at high levels and prevent administrative tasks from being executed remotely.
  • Isolated identity—Issue an administrator identity from a separate namespace or forest that cannot access the internet and is different from the user’s information worker identity. Our administrators are required to use a smartcard to access this account.
  • Non-persistent access—Provide zero rights by default to administration accounts. Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.

Budget allocations may limit the amount that you can invest in these three areas; however, we still recommend that you do all three at the level that makes sense for your organization. Calibrate the level of security controls on the secure device to meet your risk profile.

Eliminating passwords

The security community has recognized for several years that passwords are not safe. Users struggle to create and remember dozens of complex passwords, and attackers excel at acquiring passwords through methods like password spray attacks and phishing. When Microsoft first explored the use of Multi-Factor Authentication (MFA) for our workforce, we issued smartcards to each employee. This was a very secure authentication method; however, it was cumbersome for employees. They found workarounds, such as forwarding work email to a personal account, that made us less safe.

Eventually we realized that eliminating passwords was a much better solution. This drove home an important lesson: as you institute policies to improve security, always remember that a great user experience is critical for adoption.

Here are steps you can take to prepare for a password-less world:

  • Enforce MFA—Conform to the fast identity online (FIDO) 2.0 standard, so you can require a PIN and a biometric for authentication rather than a password. Windows Hello is one good example, but choose the MFA method that works for your organization.
  • Reduce legacy authentication workflows—Place apps that require passwords into a separate user access portal and migrate users to modern authentication flows most of the time. At Microsoft only 10 percent of our users enter a password on a given day.
  • Remove passwords—Create consistency across Active Directory and Azure Active Directory (Azure AD) to enable administrators to remove passwords from identity directory.

Simplifying identity provisioning

We believe the most underrated identity management step you can take is to simplify identity provisioning. Set up your identities with access to exactly the right systems and tools. If you provide too much access, you put the organization at risk if the identity becomes compromised. However, under-provisioning may encourage people to request access for more than they need in order to avoid requesting permission again.

We take these two approaches:

  • Set up role-based access—Identify the systems, tools, and resources that each role needs to do their job. Establish access rules that make it easy to give a new user the right permissions when you set up their account or they change roles.
  • Establish an identity governance process—Make sure that as people move roles they don’t carry forward access they no longer need.

Establishing the right access for each role is so important that if you are only able to follow one of our recommendations focus on identity provisioning and lifecycle management.

What we learned

As you take steps to improve your identity management, keep in mind the following lessons Microsoft has learned along the way:

  • Enterprise-level cultural shifts—Getting the technology and hardware resources for a more secure enterprise can be difficult. Getting people to modify their behavior is even harder. To successfully roll out a new initiative, plan for enterprise-level cultural shifts.
  • Beyond the device—Strong identity management works hand-in-hand with healthy devices.
  • Security starts at provisioning—Don’t put governance off until later. Identity governance is crucial to ensure that companies of all sizes can audit the access privileges of all accounts. Invest early in capabilities that give the right people access to the right things at the right time.
  • User experience—We found that if you combine user experience factors with security best practices, you get the best outcome.

La cuenta de administrador no debería tener acceso a Internet

En Microsoft explican que los administradores de sus sistemas tienen acceso a los datos más sensibles sobre sus sistemas, lo que los convierte en el objetivo principal de los atacantes, es por ello que en su organización y en cualquier otra es importante limitar el número de personas que tienen privilegios elevados de acceso, además de controlar dónde, cómo y cuándo las cuenta de administrador pueden usarse.

La empresa recomienda tres práctica primordiales: la primera es establecer un dispositivo separado para las tareas administrativas, y que ese dispositivo siempre esté actualizado y parcheado con el software y el sistema operativo más reciente. Otro detalle importante es que los controles de seguridad sean altos y se impida que las tareas administrativas sean ejecutadas remotamente.

La segunda es aislar la identidad del administrador, es decir, la identidad de esos usuarios debe ser creada desde un espacio de nombres separado que no pueda acceder a Internet y que además sea diferente a la información de identidad del empleado.

Y finalmente, no debe existir acceso persistente, es decir, las cuentas de administrador no deben tener ningún privilegio por defecto. Microsoft recomienda requerir que las cuentas soliciten privilegios JIT (just in time), es decir, que les dan acceso por una cantidad finita de tiempo que además se registre en un sistema.