It is important not to overlook the Essential Eight strategy for restricting administrative privileges. Not everyone in your organisation has a need to access all your data. Allowing all staff access to all your data opens you up to cyberattacks.
As the saying goes, “prevention is better than a cure”. This is applicable to keeping your business systems secure.
Only personnel who need access to applications, operating systems and information to perform their duties should have administrative access.
Administrative privileges are the “keys to the kingdom” so to speak. When staff have administrative privileges, they have the power to change anything whether it is intentional or by accident. By restricting administrative privileges, you minimise the potential of an attack and it makes it easy to manage.
Determining who and what
It can be difficult to know where to start. While you may restrict domain administrative privileges when you have a Windows environment, you need to consider other areas as well.
Start by determining who needs access to what:
- Consider who actually needs administrative rights based on the function of their job. Make sure you have policies and procedures in place that cover revoking, granting and the reviewing of privileges. Also ensure that anyone with privileges has the training they need.
- When you work in a Windows environment, consider what administrative privileges exist in your organisation and who currently has access. For example, there are administrative rights for servers, applications, workstations and network devices. Also consider domain groups such as Enterprise and Domain Admins.
Essential Eight strategy
Restricting administrative privileges is a good tool to use to prevent outsiders accessing your business networks. The Essential Eight security strategies from the Australian Cyber Security Centre has a strategy for using administrative privileges to protect your business.
Under the Essential Eight strategies, there are three levels of maturity. The following is a summary:
- Maturity Level One. At Maturity Level One, there is only administrative privileged access to information, systems and applications to select personnel but needs validating when first requested. There are also policies that act as a security control so privileged users cannot browse the web, read emails or download files from the internet.
- Maturity Level Two. Maturity Level Two builds on Level One with the requirement added for revalidating requests annually or more often, if required.
- Maturity Level Three. Level Three builds on the previous two levels by giving privileged administrative access to information, systems and applications only for staff as it applies to their duties. Also there are technical controls so privileged users cannot browse or download files from the internet, or read emails.
The Rightsize technical team takes the time to understand the risks to your business and works with you to design an effective solution to defend against probable events
Contact us now for a free consultation or call 07 3106 7348 to find out more about The Essential Eight and its implementation to protect your business. Rightsize Technology is your IT department as a service. Our solutions protect you online.
Enabling your business to grow efficiently and effectively – we’re the Rightsize for you.
Small businesses struggle to budget their IT operations and often spend inefficiently with less than a great return on their investment. Rightsize Technology understand. We deliver a minimum 30% reduction on IT overheads as a dedicated outside IT department for our clients. Our unlimited 24×7 support, both on and offsite increases business productivity and capacity, enabling their business to grow efficiently and effectively – we’re the Rightsize for growing small businesses. Talk to our team today for more information.