Logical Access Control – Least Privilege
If you plan on taking the Security+ exam you should have a good understanding of the various logical access controls including the principle of least privilege. These controls restrict access to the logical network as opposed to restricting access to the physical areas of a building or physical access to devices within the network.
This blog is an excerpt from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.
The principle of least privilege is an example of a technical control that uses access controls. Privileges are the rights and permissions assigned to users. Least privilege specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more. For example, if Joe needs to print to a printer, you should grant him print permission for that printer, but nothing else.
This principle also applies to administrators. Not every IT administrator needs full administrative rights on every device within the network. If an administrator only needs to be able to review logs and update specific network devices, the administrator should be given appropriate access to these logs and devices, and no more.
Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.
A colleague shared an extreme example of how this principle was violated where he worked. He was the lone IT administrator, and no matter how much he asked for help, his boss was never able to get him additional staff. The company grew, and he found he was fielding many complaints because users didn’t have the access they needed. He knew he needed to improve the administrative model with groups and roles, but he just didn’t have enough time.
The users complained to his boss, who then put pressure on him. The boss’s direction was simply: “Fix this problem!”
Ultimately, he put all the users into the Domain Admins group. In a Windows Active Directory domain, the Domain Admins group has full rights and permissions to do anything and everything in a domain. Suddenly, all the users had full privileges. This was the equivalent of lighting the fuse on a time bomb. It would only be a matter of time before users purposely or accidentally caused problems with their newfound permissions.
Ironically, his boss was happy because the users stopped complaining. I heard from him a couple of months later. One of the users found payroll data on the network and discovered the salaries of other employees. It spread through the company quickly and caused a significant amount of infighting. At that point, his boss’s boss wasn’t very happy.
It takes a little time and effort to implement role-based access control with groups. However, it reduces overall administration and helps to implement the principle of least privilege.
Security+ Study Resources
Pass the Security+ exam the first time you take it with the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
|You’ll be ready to take and pass the exam the first time you take it.|