The Security Skeptic

Whether your data or applications are in a cloud, a remotely accessed datacenter, or your local network, an infected or rooted administrative workstation is a nightmare scenario for any organization, government, or critical (e.g., SCADA) infrastructure.

Malware accidentally downloaded visiting websites, email attachments, or removable media that contain malicious executables, and file shares left accessible to other infected machines on your network, are problematic enough when the target is an end user. But these can be catastrophic when an administrator’s workstation is similarly compromised: rootkits, APTs, keyloggers on management consoles, or admin workstations give attackers the keys to your data, your applications, your kingdom.

This may seem obvious to experienced administrators, but some recent and noteworthy penetrations of critical infrastructure from power plants to USB drives suggest it’s not obvious to everyone.

What is obvious is that bad things happen when administrative workstations are used for general purposes, or when they aren’t segregated from general purpose computing populations. Here’s a checklist of ten administrative workstation hygiene measures you should consider to protect your datacenter against unauthorized administrative access:

1. Harden your administrative workstations. Run only those services and virtual machines (e.g., Java) you absolutely need. Follow Linux or Windows OS hardening guidelines (ample resource exist beyond these as well).
    
2. Use security measures available for web browser of choice, and review any extension or plug-in before you install.
    
3. Create unique user accounts for administrators. Do not allow guest or general user accounts. Restrict root privileges.
    
4. Apply the Principle of Least Privilege to every account you create.
    
5. Restrict (white list) the systems and networks that administrative workstations are able to access.
    
6. Consider implementing a Response Policy Zone (RPZ) as part of your name service (DNS) deployment to protect against malicious URLs or host file poisoning.
    
7. By policy and configuration, only allow the installation of applications that are necessary for administration: no Office, no games, no software to manage a mobile phone, no music players. Conduct a security review of all scripts or custom applications before installing and using these. Do not use scripts that require you to execute remotely (at a third-party hosting site).
    
8. Set auditing to stun. Seriously, enable event logging at as high a level as performance can tolerate. Implement forms of monitoring and notification that are sufficient for you to learn of unexpected or suspicious activity quickly.
    
9. Protect against Sneakernet attacks by configuration or through the use of removable media security software.
    
10. Isolate (segment) administrative workstations from the general user population so the workstations are not vulnerable to blended threats or infections transmitted within a local LAN environment.

This list is not exhaustive. Consider physical workstation security and authentication as well. Mobility adds other attack surfaces to consider, but let’s save this for another post. However, by implementing these measures, you will greatly minimize your risk of compromise.

Originally posted at The Transformed Data Center 19 April 2013.