Active Directory (AD) is the foundation of managing identities, provisioning users and issuing permissions to network resources. These permissions range from the lowest levels of access to the highest levels of admin rights for privileged users. While having control over these permission levels is useful, organizations can open themselves up to serious vulnerabilities if they don’t manage the permission levels carefully. If an attacker can gain admin-level access to an Active Directory instance, they can move between any AD-connected systems, and have access to critical or proprietary data. One of the best ways to defend against that threat and better manage admin permissions is just-in-time privileged access. In today’s world, organizations shouldn’t think in terms of if a breach will happen to them, but when.
Without just-in-time privileged access, your organization could be vulnerable to several hazards.
What is just-in-time (JIT) privileged access?
Just-in-time privileged access is temporarily elevated privileges extended to users who need access to systems or applications on an as-needed basis or for a limited amount of time.
To better illustrate, imagine just-in-time privileges as a hotel. The hotel room that users need access to is ready to go. This ‘‘room’’ could be something like a high-level application or database.
Admins don’t want to be constantly on call to unlock the door to a room anytime someone needs access. Like a hotel, users ‘check in’ and have their identity verified and a keycard issued. The keycard is programmed for that user’s identity to go and ‘unlock’ the door to the hotel room.
When the user has completed their stay, the keycard access is revoked and deleted when the user has checked out. Access to the room still exists, but their keycard no longer works.
For anyone else looking to get permission to access the hotel room, their identity must be checked and authenticated before receiving a keycard with individualized credentials.
Organizations without just-in-time privileged access
Many companies currently operate without just-in-time privileged access. While they may not have experienced any issues or breaches to date, that doesn’t mean something may not happen in the future. Zero Trust assumes that no entity inside or outside the network should be implicitly trusted. Additionally, according to the principle of least privilege, users should only have the bare minimum necessary permissions to complete their daily tasks. No more, no less.
So what hazards do organizations face if they don't have just-in-time privileged access in place?
Hazard 1. Expanded attack surfaces
By default, AD authenticated users with no assigned privileges can see nearly everything within an AD instance. These users can see which accounts are privileged, and as a result, quickly determine which accounts can be exploited to best take advantage of an enterprise.
Privileged accounts in groups that can own anything or are embedded in select groups—Domain Admins, Enterprise Admins, Schema Admins—and are a primary AD attack target. In any attack, this path of determination is often known as the ‘enumeration’ phase.
Users with permanent privileges expand the attack surface because they have standing privileges to these high-level accounts. Just-in-time privileges can help eliminate this expanded attack surface by only issuing temporary permissions when the users need it.
Hazard 2. Limited visibility and accountability into potentially compromised privileged usage
Separation of duties is incredibly important for every identity that needs access to privileged systems. As a best practice, organizations must define the roles and tasks that require those high-level rights. The credentials used for accessing high-level surfaces should not be the same as those used for daily activities.
As a result, those high-level accounts are subject to auditing, policies and event logs. However, many admins are in the habit of using their higher-level accounts for daily tasks. They prefer unrestricted access to the items they need and are confident that the account hasn’t been compromised. But how can they be sure the account is secure if the higher-privileged account is their daily profile?
Attackers can and will take advantage of locally cached and stored credentials for new systems connected to Active Directory. Even if Multi-Factor Authentication (MFA) is required, a bad actor can mine for these hashes and use this vulnerability to sign in to highly privileged accounts.
In this instance, it will simply look like the AD admin is logged in on the account rather than a malicious attacker.
Just-in-time privileged access only issues higher levels of permissions when they are needed. As soon as they are not needed, the privilege levels of the accounts are taken away. Even if an account is compromised, attackers won’t be able to further access privileges to valuable accounts.
Hazard 3. Inefficient manual workflows that increase vulnerability and consume resources
The typical steps most individuals need to follow to get privileged access require manual intervention. At its core, these manual processes introduce more vulnerabilities rather than enhanced security. By requiring other teams, like security or management, to issue approvals, it increases the time spent waiting for permissions to be granted and introduces an additional opportunity for attackers to exploit.
Just-in-time privileges can automate access to users who need regularly elevated permissions by requiring their user identity to meet pre-determined criteria. It eliminates the risks introduced by adding another person into the process and the need for security teams or management to manually issue access approvals.
Hazard 4. Standing privileges that increase the risk of compromise
Large groups of users with standing privileged access are a huge risk to organizations. If a user has high-level privileges in an ‘always-on’ state, it can open a business up to adverse events if compromised.
To their credit, large AD-centric organizations will frequently audit their highly-privileged groups to limit the number of users with standing privileges. It is obviously important to be aware of who owns the accounts in these groups and to reduce vulnerability by keeping group membership to a bare minimum. Especially because users with static, highly-privileged accounts can decide to modify anyone’s access, such as granting a co-sysadmin the same access.
However, this membership with standing privileges can quickly expand beyond reasonable sizes if organizations don’t monitor it closely. If you take a hard look at who actually needs what in the highly-privileged groups, those standing privileges aren’t often necessary.
Just-in-time privilege only populates privileged group membership when privileges are in use, limiting the number of users with standing privileges. With that change, organizations and auditors will now be able to see not only who has access to privileged AD accounts, but who has used these privileges over time.
Hazard 5. Static credential risks
Organizations that guard access to critical surfaces with static credentials put themselves in an incredibly vulnerable position. If attackers can intercept those static credentials, they’ll have free reign to take advantage of whatever privileged surfaces are available to them.
Just-in-time privileged access lowers the risk of compromised static credentials as accounts and passwords can be reshuffled, created or disabled. Even if an attacker gains access via a rotating credential or password, their access can be revoked or will become invalid after a set amount of time. For example, image a hotel maintenance worker needs ‘privileged’ access to a room. They use a hotel keycard to get into the room when they do the maintenance, maybe when the room is available, but after the maintenance is complete, their hotel keycard will no longer allow access.
In all fairness, these hazards can exist even if organizations have just-in-time privileged access. However, the biggest difference between organizations that have just-in-time privileged access implemented and adhered to vs organizations that don’t is the level of risk, potential damage, financial costs and penalties the enterprise is willing to accept if compromised by attackers. The organizations that take the time to implement just-in time privileges benefit from streamlined operations, reduced overall risks and a smaller radius of impact in the event of a breach.