Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Secure Administration

This publication provides guidance on how to securely administer Microsoft Windows-based environments within an organisation.

First published 2014; updated 2015 and January 2019

Introduction

Privileged access allows administrators to perform their duties such as establishing and making changes to key servers, networking devices, user workstations and user accounts. Privileged access or credentials are often seen as the ‘keys to the kingdom’ as they allow the bearers to have access and control over many different assets within a network.

Privileged access is often a key goal of an adversary. An adversary can use privileged access to:

  • propagate malware to multiple workstations and servers
  • add new user accounts, including privileged accounts
  • bypass security controls for applications, databases and file servers
  • implement configuration changes to make future access easier.

Given the scale and complexity of enterprise networks, it is reasonable to assume that at least one standard user account and workstation within an organisation's internet-connected network could be compromised by an adversary. As administrator accounts often have unrestricted access to critical resources, this document focuses on protecting sensitive accounts and resources from an adversary who has gained a presence on a network.

This document is designed to complement and expand upon the guidance contained within the Australian Government Information Security Manual (ISM).

Secure administration and the cloud

The primary intent of this document is to secure the administration of traditional corporate network assets, such as domain controllers and application servers, as well as the infrastructure used for the administration of these assets.

Administration of cloud-based infrastructure, systems and applications brings different challenges and may require a different approach. As such, not all security controls within this document may be directly applicable to the administration of cloud assets and may require assessment and adjustment before being applied to infrastructure used for cloud administration.

Throughout the document, the security controls will contain guidance on applying the recommendation within a cloud environment.

Table of contents

  • Introduction
    • Rationale for implementing secure administration
    • Elements of secure administration
  • Privileged access control
    • Considerations when administering a cloud environment
  • Multi-factor authentication
    • Considerations when administering a cloud environment
  • Privileged workstations
    • Dedicated privileged workstations
    • The use of virtualisation to achieve dedicated workstations
    • Hardening privileged workstations
    • Considerations when administering a cloud environment
  • Logging and auditing
    • Considerations when administering a cloud environment
  • Network segmentation and segregation
    • Considerations when administering a cloud environment
  • Jump boxes
    • Considerations when administering a cloud environment
  • Further information
  • Contact details

Further information

The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.

The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.

If your network is based on Microsoft Windows and Active Directory, the following two Microsoft documents contain advice relevant to many parts of this publication:

For further advice related to cloud computing, see Cloud Computing Security for Tenants.

For further advice on implementing network segmentation and segregation, see Implementing Network Segmentation and Segregation.

For further advice on the benefits of multi-factor authentication and implementation considerations, see Implementing Multi-Factor Authentication.

For further advice on the Protected Users group (applicable to Windows 8.1 and Windows Server 2012 R2 onwards), see Microsoft: Protected Users Security Group.

For further advice on Managed Service Accounts (applicable to Windows 7 and Windows Server 2008 R2 onwards), see Microsoft: Managed Service Accounts.

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

Date
January 4th, 2019