Rake Narang: What types of things are auditors looking for when they drill into the level of security risks of privilege creep?
Leonid Shtilman: Any privileges you hand out should be controlled and you should hand those out very judiciously. Auditors require a method for companies to regularly report who has both domain and local administrative privileges and a system that can remove these privileges if they are not needed.
At a minimum, the use of these higher-level privileges should always be audited. Whenever someone uses their administrative-level privileges, you should always know that and be able to track and report on how privileges are used. For example, when an administrator creates a policy or uses his privileges to create an account, there should be a corresponding audit log that tracks the administrator’s actions and activity. This way, audit teams gain a clear understanding of which privileges are being utilized by the IT team. During a corporate audit, it is critical to have the ability to identify the administrators who are enforcing your privilege policy rules.
A typical use case could be an ex-employee system admin whose domain account is disabled and\or remove from the Domain Administrators group. Auditors have learned that this isn’t always the same case with local administrator accounts, and a disabled domain account won’t prevent an IT administrator from logging into a system with a known local administrator account. Auditors are looking to protect organizations from this loophole that exploits administrative rights on laptops and desktops, and through that path, gain a position to infiltrate servers.
Rake Narang: Do you have any benchmark statistics you can share regarding how privilege creep “creeps” up on companies?
Leonid Shtilman: This information isn’t easy to come by purely due to the nature of privilege creep – all too often it’s difficult for companies to keep track of who they’ve given rights back to. Nonetheless, we were curious about this ourselves so we decided to informally survey IT administrators who had downloaded our free tool that discovers user accounts and groups that are members of the local “Administrators” built-in user group on computers in your Windows domain. The survey showed that after running the Viewfinity Local Admin Discovery tool, 36.4% of the respondents found between 15-25% had local admin rights and 23% of the respondents found that over 50% had local admin rights. The analysis also revealed the statistics shown below as related to privilege creep in the context of Local Administrator Rights: