Discover how to successfully implement the Australian Government’s Essential Eight Framework with simple articles and guides that you can work through to achieve level 3 maturity in your organisation

Download the Framework Now

This article will cover Maturity 1 Control 5: Restrict Administrative Access

View the full series here

What does “Restrict administrative access” seek to achieve?

“Restrict administrative access to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Do not use privileged accounts for reading email and web browsing.

Why: Admin accounts are the ‘keys to the kingdom.’ Adversaries use these accounts to gain full access to information systems.”

Maturity level 1 of this control aims for the following level of security:

  1. Privileged access to systems, applications and information is validated when first requested.
  2. Policy security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services.

How To Restrict Administrative Access

As a starting point, we recommend defining and separating admin users versus ‘normal’ users and predefining the required privileges of each user. For users where no admin access is required, they are now limited in their capacity based on their role.

For users that require admin privileges as a part of their workflow, we suggest going a step further to provide them with two accounts (eg. Person and PersonAsAdmin), one for general use, one when they need admin privileges.

This gives the best of both worlds: Passwords and accounts are for a person, as they should be, not a role. But we lower risk and exposure by only using privileges when we need them.

Once you have identified the user requirements, you can then set up individual access using the recommended method for the platform in which you wish to secure.

For the purposes of this article, we’ll show you how to do it across Windows OS devices:

Group policy

Full credit to Activedirectoypro.com for this one, check out the original article here. Also worth noting that you can do this on your local computer as well, though it doesn’t really make sense if you are both user and admin of your own machine.

Step 1. Right-click the organizational unit where you want to the GPO applied and select “Create a GPO in this domain, and link it here”

Step 2. Name the GPO and click OK

Now you need to edit the GPO.

Step 3. Right-click the GPO and click edit

Step 4. Browse to the following GPO settings

Computer Configuration -> Preferences -> Control Panel Settings -> Local users and Groups

Now right-click in the right side window and select new -> Local Group

Settings:

Action: Update
Group name: Administrators (built-in)
Delete all member users: Yes
Delete all member groups: Yes

Members: Click add and select the members you want to be added to the local administrator group. You probably want to keep the local administrator account and domain admins group as local admins… but that is totally up to you.

Screenshot of my settings

The above settings will both delete all users and groups and then add the users specified in the member’s box. This will clean up all unwanted accounts and add only the accounts you want in the local administrator group.

Windows autopilot/Microsoft Azure AD

This particular method is still in preview, however, should be pretty close to release at the time of writing this article. One key thing to note is that this method does not have a UI (user interface) to manage and implement, so you will need to be able to use Microsoft Intune. If you’re knowledgeable enough to use this method we recommend heading straight to Microsoft’s website (rather than us regurgitating what is fairly technical in nature). Click the image below for more details:

Up next in our Essential Eight series will be Maturity 1 Control 6: Patch Operating Systems