Do you trust your admins? 5 tips to manage administrator access

The access rights that internal and external network admins possess carry the potential for abuse and errors that can expose systems and data. These practices can help avoid that.

Trusting your administrators and outside consultants is a key part of the security process. But should you? I recently came across a story where an employee of a managed service provider (MSP) sold access to the client base. Years ago, a Microsoft security strategist, Steve Riley, asked attendees at the company’s security conference if they trusted their administrators. Astoundingly, most people in the room indicated that they did not trust their administrators.

As Riley stated at the time, “If we can’t trust the very people we hire to build and manage the mission-critical networks on which our business successes depend, we might as well unplug it all and revert to the days of stone knives and bearskins.”

Here are my suggestions for building trust in your internal and external admins.

1. Have an end-to-end process to manage and monitor

Trusting administrators will always carry risk, but having a process for interviewing, investigating, hiring, monitoring and terminating any employee or consultant who has the role of administrator will minimize that risk. 

Review your consultants for their education and experience. Ask for references and review their education and credentials. Perform background checks on anyone you hire as an employee or consultant and have them sign a confidentiality agreement. Ensure that any consultant you hire abides by and is aware of any regulations of compliance mandates that you may have for your industry. 

2. Don’t forget third-party software with admin rights

There’s another administrative role you need to monitor: third-party software that has service account rights. When setting up third-party software in your Office 365 deployment, review what rights that software requests and make sure it stores the information in a location that matches your mandates.

For example, cloud backup processes might need to have a service account with specific rights to back up or monitor your cloud assets. You may need to set up exclusions to conditional access rules to properly set up the account.

3. Deploy, manage and monitor multi-factor authentication

For all these roles, the ability to manage and audit access is key to ensuring that your network allows only appropriate users and administrators to have access and that it’s compliant with your policies. As you include multi-factor authentication (MFA) in the mix, the ability to manage and monitor the use of MFA is also key. 

In small businesses that outsource network management, a consultant often has multiple employees handle access for multiple clients. Administrator accounts for Office 365 do not require additional licensing. In a small network, you often do not need separation of administrative duties and can assign global administrator rights to multiple employees. In addition, MFA with the Microsoft Authenticator or Google Authenticator can be installed on multiple phone devices. So, if the client prefers having only one global administrator, the access can be secured with MFA on several devices.

Some consultants might say they can’t implement MFA because they then couldn’t share the credentials among their employees. Their inability to devise a workable solution to delegation of duties means that their client would be unnecessarily exposed to risk. While sharing credentials is not an ideal situation, neither is using it as an excuse to not enable MFA.  

Microsoft, in fact, is mandating the use of MFA for all partner accounts. Furthermore, Microsoft is changing the security defaults to mandate MFA for the following roles: global administrator, SharePoint administrator, Exchange administrator, conditional access administrator, security administrator, helpdesk administrator or password administrator, billing administrator, user administrator and authentication administrator. 

4. Minimize the risk of sharing access

While sharing access may be a less than ideal risk for small businesses, it isn’t a good solution for large enterprises. Administrative and specifically global administrative access should be closely monitored and limited in scope. However, this access shouldn’t be so limited as to restrict business processes. Asking an administrator to submit paperwork for access isn’t an appropriate limitation of access and often causes more issues. Instead, set up processes for administrators to use. First make sure that they only log in from appropriate locations and with appropriate privileged access workstations.  

Then use the global administrator account sparingly. As Microsoft notes, set up no more than five global administrator accounts in your tenant. Then determine if you can have sub-administrator accounts that access specific areas.

Microsoft is previewing the use of the Authentication Administrator. Users with this role can set or reset non-password credentials and can update passwords for all users.  

5. Set up emergency accounts

Of course, set up emergency accounts for access to Azure or Office 365 that do not have MFA enabled. You’ll want to ensure that should something happen to Microsoft’s two-factor processes that you have a means to reset the subscription. Set up an administrative account that does not have MFA, is excluded from the policy, and has an extremely long password. Once you do that, set up monitoring to track the use of the account so that you get alerted when it’s used. 

Bottom line, not only should you trust your administrators, you should trust where they log in from and trust that they can only log in with MFA enabled.