Cyber Security Potluck: The "Poor Person Just-In-Time (JIT)" for Local Admin Rights

Assumptions

An existing Active Directory (AD) environment is in place.

AD groups are pre-configured on local workstations within correct authentication groups.

Multiple group pairs manage diverse security needs, allowing specific resources to be accessed only by appropriately authenticated users.

AuthLite's group pair session tagging dynamically adjusts user group membership based on authentication methods.

No additional training for cyber security personnel is required, utilizing existing tools and technologies.

Practical Considerations

In the real world, it's impractical to deny all users local admin rights, as certain roles, such as engineers, need these rights to perform tasks like software updates or system configurations efficiently. Our JIT approach facilitates a controlled, temporary elevation of rights, allowing necessary tasks to be performed promptly without extensive IT intervention. This balances security with practical needs, ensuring that operations remain agile without compromising the system's integrity.

Overview of the Method

This method involves a Microsoft Form that users fill out to request local admin rights. Upon form submission, a Microsoft Power Automate flow is triggered, executing a PowerShell script that temporarily grants local admin rights to a secondary account associated with the user's primary identity. This secondary account is specifically created for elevated tasks and does not replace the user's regular account.

Technical Walkthrough

Request Initiation:

Users submit their needs for local admin rights through a Microsoft Form, detailing the user ID, duration of the admin rights, and the purpose of the request.

Automated Processing:

Upon form submission, Microsoft Power Automate triggers a PowerShell script.

This script adds a secondary account for the user to a pre-configured domain group via Group Policy, granting it local admin rights on targeted machines.

Time-Limited Access:

The PowerShell script schedules the removal of admin rights based on the requested duration, using a Robotic Process Automation (RPA) tool. It ensures that the admin rights expire automatically after the stipulated time by removing the user from the group.

Multi-Factor Authentication (MFA):

The secondary account is secured with MFA via AuthLite, integrated with Yubico keys. This setup ensures that even if the secondary account credentials are compromised, unauthorized access is prevented.

Governance and Audit:

All actions, from the initial request to the rights expiration, are logged for auditing purposes. This helps track usage patterns and detect potential abuses of admin privileges.

Testing and Validation:

System Testing: The entire setup, including forms, scripts, and RPA tasks, is tested in a controlled environment to ensure functionality and security.

User Capability Assessment: A testing system using Microsoft Forms assesses users' knowledge and capability to handle local admin rights responsibly.

Cleanup and Policy Enforcement:

After the admin rights expire, the secondary account is either disabled or thoroughly audited before reuse. Regular reviews and compliance certifications of these accounts are mandated.

Estimated Costs

AuthLite Licensing: A 10-pack of AuthLite licenses is approximately $1,000.

Yubico Keys: Each Yubico key costs around $45.00.

This pricing model makes the "Poor Person JIT" an affordable option for small to mid-sized organizations or those with stringent budget constraints, ensuring robust security measures are accessible to all.

The article is trying to be innovate and creative with items given. I am not endorsing any product nor saying I have created a fail all solution. Just sharing ideas.

Dr Daniel Schmeling

Disclaimer: The views and strategies discussed in this article are provided for informational purposes only and are not endorsed by any of the products or companies mentioned. While I aim to present practical and cost-effective solutions for managing local admin rights, this method is not foolproof. It is important for each organization to consider their specific needs and security requirements. Readers are encouraged to evaluate the suitability of these ideas for their particular context and seek professional advice where necessary. I am not responsible for any damages or issues that arise from the implementation of these suggestions.

#CyberSecurity

#InfoSec

#TechTips

#SecurityTips

#ITSecurity

Specific to JIT and Admin Rights

#JIT

#AdminRights

#NetworkSecurity

#DataProtection

#AccessControl

Related to Cost-Effective Solutions

#BudgetFriendlyTech

#SMBTech

#CostEffective

#TechSolutions

#AffordableSecurity

Platform and Tools Specific Hashtags

#Microsoft365

#PowerAutomate

#MicrosoftForms

#AuthLite

#Yubico

Trending and Broad Appeal

#TechInnovation

#DigitalTransformation

#ModernWorkplace

#CyberAware