What is secure system administration
Secure system administration allows organisations to be resilient in the face of targeted cyber intrusions by protecting administrator workstations and accounts from compromise, as well as making adversary movement throughout a network more difficult. If a secure system administration environment withstands a targeted cyber intrusion, incident response will be far more agile, the damage will be limited and remediation work will be completed faster.
Secure system administration of cloud services
Secure system administration of cloud services brings unique challenges when compared to the secure administration of on-premise assets. Notably, responsibility for system administration of cloud services is often shared between service providers and organisations. As the technology stack and secure administration processes implemented by service providers are often opaque to organisations, organisations should consider a service provider’s control plane to operate within a different security domain. As such, the security controls below may require adjustment.
The use of the same credentials on both an administrator workstation and a user workstation puts the administrator workstation at risk of compromise if the user workstation is compromised. The table below provides clarification on the use of different accounts.
Regular User Account
Unprivileged Administration Account
Privileged Administration Account
Used for web and email access
Used for day-to-day non-administrative tasks
Used for authentication to dedicated administrator workstation
Used for authentication to jump server(s)
Used for performance of administration tasks
Different username and passphrase to regular user account
Different username and passphrase to regular user account
System administration process and procedures
A key component of secure system administration is ensuring that privileged actions are performed using an approved system administration process supported by system administration procedures. This will ensure that privileged actions are undertaken in a repeatable and accountable manner.
Security Control: 0042; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS
A system administration process, with supporting system administration procedures, is developed and implemented.
Separate administrator workstations
One of the greatest threats to the security of a network as a whole is the compromise of a workstation used for administration activities. Providing a physically separate hardened administrator workstation to privileged users, in addition to their workstation used for unprivileged user access, provides greater assurance that privileged activities and credentials will not be compromised.
Using different physical machines is considered the most secure solution to separate workstations; however, a risk-based approach may determine that a virtualisation-based solution is sufficient. In such cases, the unprivileged user environment should be the ‘guest’ and the administrative environment should be the ‘host’.
Security Control: 1380; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Privileged users use a dedicated administrator workstation when performing privileged tasks.
Security Control: 1382; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations.
Security Control: 1381; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities.
Security Control: 1383; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened.
Dedicated administration zones and communication restrictions
Administration security can be improved by segregating administrator workstations from the wider network. This can be achieved a number of ways, such as via the use of Virtual Local Area Networks, firewalls, network access controls and Internet Protocol Security Server and Domain Isolation.
It is recommended that segmentation and segregation be applied regardless of whether privileged users have physically separate administrator workstations or not.
Security Control: 1385; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Administrator workstations are placed into a separate network zone to user workstations.
Restriction of management traffic flows
Limiting the flow of management traffic to only those network elements and segments explicitly required to communicate with each other can reduce the consequences of a network compromise and make it easier to detect if it does occur.
Although user workstations will have a need to communicate with critical assets such as web servers or domain controllers in order to function, it is highly unlikely that they will need to send or receive management traffic (such as Remote Desktop Protocol [RDP], Secure Shell [SSH] and similar protocols) to these assets.
The following diagram outlines how management traffic filtering could be implemented between a network comprising different network zones. The only flows of management traffic allowed are those between the ‘Administrator Workstation Zone’ and the ‘Jump Server Zone’ as well as the ‘Jump Server Zone’ and the ‘Critical Asset Zone’. All other traffic is blocked as there is no reason for management traffic to flow between the other network zones.
Security Control: 1386; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Management traffic is only allowed to originate from network zones that are used to administer systems and applications.
A jump server (also known as a jump host or jump box) is used to manage important or critical resources in a separate security domain. The use of jump servers as a form of ‘management proxy’ can be an effective way of simplifying and securing privileged activities. Implementing a jump server can yield the following benefits:
- an efficient and effective focal point to perform multi-factor authentication
- a single place to store and patch management tools
- simplified implementation of management traffic filtering
- a focal point for logging, monitoring and alerting.
In a typical scenario, if a privileged user wanted to perform administrative activities they would connect directly to the target server using RDP or SSH. However, in a jump server setup the privileged user would first connect and authenticate to the jump server, then RDP, SSH, or use remote administration tools to access the target server.
When implementing a jump server, it is recommended that organisations implement multi-factor authentication, enforce strict device communication restrictions, and harden administrative infrastructure, otherwise a jump server will yield little security benefit.
Security Control: 1387; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
All administrative actions are conducted through a jump server.
Security Control: 1388; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities.
Further information on the use of privileged accounts can be found in the access to systems and their resources section of the Guidelines for Personnel Security.
Further information on multi-factor authentication for system administration can be found in the authentication hardening section of the Guidelines for System Hardening.
Further information on network segmentation can be found in the network design and configuration section of the Guidelines for Networking.
Further information on secure system administration can be found in the Australian Cyber Security Centre (ACSC)’s Secure Administration publication at https://www.cyber.gov.au/acsc/view-all-content/publications/secure-administration.
Further information on mitigating the use of stolen credentials can be found in the ACSC’s Mitigating the Use of Stolen Credentials publication at https://www.cyber.gov.au/acsc/view-all-content/publications/mitigating-the-use-of-stolen-credentials.
Further information can also be found in Microsoft’s Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, Version 1 and 2 publication at https://www.microsoft.com/en-au/download/confirmation.aspx?id=36036.