Understanding the Principle of Least Privilege
The Principle of Least Privilege is the principle that users and programs should only have the necessary privileges to complete their tasks. In the case of Jurassic Park, this whole situation could have been avoided if they had applied the principle of least privilege throughout the systems in the park. Sure, Dennis Nedry was a key piece of building Jurassic Park, but did he need access to the entire park’s power system? If he didn’t have access to the entire power system would he have gone through with the plan that ultimately ended Jurassic Park before it even began? While we may never know the answers to these questions, we can take the hard lesson that Jurassic Park learned and apply it to our school environment to create a more robust security posture, without, of course, the more than likely overpriced meal plan and the highly intelligent velociraptors chasing us around every corner.
In practice, the principle of least privilege looks like; teachers should only have the privileges they need to do their job, district staff only have the privileges they need to do their job, technology teams only have the privileges that they need to do their job, and so on throughout the district. This can be accomplished in a variety of ways with the most popular being managing permissions through Active Directory Security Groups. Security groups allow us to assign permissions through user rights and group permissions. User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest while security group permissions are assigned to the security group for the shared resource. Nesting groups within groups is also a great way to fine-tune security permissions. So for example you may have a security group for school administrators and security for teachers that is nested within a security group for one specific school building in the district.
One of the most common and most severe violations of the principle of least privilege that school districts often fall prey to is having all staff have local administrator privileges regardless of whether or not they are needed. This is often an older policy that was put in place to save time for the technology department so they wouldn’t have to deal with staff asking permission to download software on their devices or even worse a higher level of authority, like district administration, required the technology department to implement local administrator privileges to all staff as an easy way to stop complaints from other staff that wanted to download a piece of software but didn’t have permission to do so. Believe it or not, I have seen firsthand both of these scenarios in multiple schools districts over the years and unfortunately, some of them have paid the price in the form of malware and a compromised network.
Another way that attackers abuse unneeded permissions is through privilege escalation. Privilege Escalation is the step attackers take after they have gotten an initial compromise of a device, account, or software and look to upgrade their privilege from whatever normal user privileges they have gained to full administrative privileges that they can then abuse. This usually involves some sort of exploit in a piece of software or the computer itself that is used to gain this elevated access. The principle of least privilege can apply here as well. If a user has permissions to run certain apps, programs, or services as an administrator, the attackers can take advantage of those privileges and essentially piggyback off of them in order to run their malicious scripts and either gain full access as administrator or create their own administrator account on the device. In this attack vector the compromised account, apps, programs, and services are not the primary attack targets but rather the permissions used to run those apps, programs, and services are targeted in order to gain administrator access. In order to guard against this type of attack, we can leverage the principle of least privilege and audit our environments for these kinds of permissions and remove any problematic permissions that are not absolutely essential to that person’s ability to do their job.
One of the biggest hurdles in fully implementing the principle of least privilege is changing the district’s technology culture from the easiest way of doing things to the most secure way of doing things. If teachers and school administrators are used to installing any software they want because they currently have local administrator privileges, you can expect to get some push back and resistance to the change. The same thing goes with staff having administrator privileges on certain programs or accounts that they don’t need to successfully do their jobs. If you take something away that they already have you can expect to be met with an attitude of defiance. Now, this isn’t because they are bad people or have ulterior motives, it’s just because they are people, and that’s what people do. Think about a toddler that has 3 cookies. If you take a cookie away what happens? More than likely a temper tantrum that could melt the sun. However, if you just give the toddler 2 cookies to start and not 3 they don’t know that the third cookie is even an option and are excited that they are getting 2 cookies. When it comes to technology and taking away permissions or privileges that staff may already have, we have to come prepared with a plan for a successful deployment of changes.
The first major step in this plan is to get administrative buy-in. These changes, while they may seem innocent enough, may not seem that way to other staff members so it is important that the plan is clearly organized and communicated to school administrators in a way in which they understand the reason or purpose for the changes and why making these changes is important. To communicate this clearly with the school administration make sure you have a detailed list of things you are changing and how it will affect the staff members and their ability to do their jobs completely and successfully. Remember we are trying to secure not hinder. Also, it may be helpful to put the impact of a potential incident in a way that school administrators can understand fully to highlight the importance of proper security controls. Providing real-life examples is often the easiest way to get non-technical people to understand the severity of a technical issue. Once you have administrative buy-in and support you now have a person or persons of authority that are approving the actions being taken and that have direct authority over other staff members. It may even be helpful to have the school administrators be the ones to communicate the change to the other staff so they can hear it “straight from the horse’s mouth,” so to speak.
Additionally, it’s important to have a communication plan that focuses on the benefits of the changes and not the act of taking something away. For example, when a staff member asks why these changes are happening don’t say, “We are removing unneeded permissions from staff accounts for security reasons.” Instead frame it in a more positive way like, “We are proactively strengthening our school’s defenses to avoid any successful cyberattack against our school or its staff.” Both of these statements are true statements but the latter frames the why in a much easier way for nontechnical folks to digest. Remember there is no need to lie to a staff member about what’s happening but rather present the changes in a positive way so they understand why the changes are taking place.
The good news is that as technology continues to advance and is pushed more and more to the cloud (Google, Office 365), the easier it will be to enforce and audit the principle of least privilege throughout the domain. In many cases, we can start implementing these new services and solutions with a security mindset first instead of later or none at all which will dramatically help strengthen our district’s security posture. However, until then and even after, it is critically important that we implement the principle of least privilege in our environments in order to keep making the attacker’s lives just a little bit more difficult. Remember don’t be like Jurassic Park, protect your district, staff, and students by implementing the principle of least privilege.
Want to learn more about Cybersecurity within Education? Check out our Cyber Resources Page!