Home  Previous page


An Effective Approach to Protect Administrative Accesses to Your Datacenters and Cloud Resources

This article was created to provide guidance about how to ensure a good protection of administrative accesses to our datacenters and cloud resources without the needed to have complex privileged access management systems in place. It leverages the use of one approach among multiple others.

 

What are the most common difficulties that security leaders and teams can face today?

 

The following is the summary of the most common difficulties that security leaders and team can face today when it comes to having good protections for accesses to datacenters and cloud resources:

  • It is difficult to make sure that all on-premise resources are highly secure to be allowed a direct access internally
  • Organizations targeting to implement multiple-factor authentication for administrative accesses generally fail to find a multi-factor authentication system that is compatible to all used technologies
  • Cloud resources are generally highly secured. However, each provider will come with its own set of technologies and techniques to secure the platform which will make it tricky to establish security homogeneous and standard implementation for administrative accesses on all used platforms

  

How can you design your protection for administrative accesses to your datacenters and cloud resources?

  

The following table provides a summary of techniques you can consider using:

 

Techniques

Technologies

Advantages

Limitations

Use a jump server for all administration activities as long as it is technically possible. Attempts to connect for administration from IP addresses apart from the ones for jump servers shall be denied.

You can use:

  • Windows Server as jump servers
  • Your firewalls or access lists to restrict accesses to administration ports (Like RDP through 3389) to only the IPs of your jump servers.

Security leaders and teams will have to make sure that mainly the jump servers are highly secured and controlled which will provides a simplified security approach to manage accesses.

 
Operational teams will have their standard day to day and emergency operation tools installed on the jump servers which will make it more convenient for them especially if they have to carry out their duties.

Some cloud services may not have IP filtering capabilities which might make the approach not applicable in certain cases.

 

The approach will work perfectly for cloud services if your jump servers are NATed through a dedicated public IP.

   
Some administration accesses may be using the same ports intended to provide the service (Example: administration through a web portal may be using the port 443 which, as well, is used to provide the service to end users). However, there might be workaround to apply IP restrictions (Example: On a web portal, you may restrict access to the pages intended for administration by IPs)

Use a single and a simplified multi-factor authentication system. You may want to require it only on jump servers.

You can use Microsoft Multi-Factor Authentication Server and require a two-factor authentication experience only the jump servers

Security leaders and teams will find it easier to manage multi-factor authentication with a single technology in use.

  
Operations team will find it more convenient if multi-factor authentication is required only on the jump servers while their credentials will be sufficient to access the rest of the resources.

None has been identified

Use dedicated admin accounts. Access to the jump servers will be available only to those accounts. RDP access on the jump servers shall be sufficient for most of the users and you can allow  your administrators to enable their admin accounts only when needed.

You can use :

  •  Microsoft Active Directory Domain Services to manage your admin accounts and Group Policies Restricted Groups to define who can access your jump servers.
  • Microsoft System Center Orchestrator to manage the activation of admin accounts

The likelihood to compromise passwords for dedicated admin accounts is highly reduced compared to your daily access accounts.

The security leaders and teams can also have a real time visibility on who is enabling an administrative access through e-mail notification which allows them to monitor the accesses and potentially identify some suspicious activities.

None has been id

 

You should think as well about emergency cases where all your jump servers might be failing and you need to have allow a possible emergency access. This could be securely achieved by having a least a dedicated machine in your datacenter which is as well allowed to access all of your resources and an account which can logon only to this machine which can change the expiry date of any account in your AD DS (The account shall be used only during emergency cases).