An Employee Wants Access Permissions for Protected Service "X"…
Let me just start out by clarifying something. This article isn’t meant to be the “Top Ten ways of Making Your Users Unhappy”! It’s can seem that way, but restricting access permissions for all services except those necessary to do ones job is, quite possibly, the best way to harden the security of a network!
“How exactly does this improve the security of my network?”
There are a lot of analogies I could use to describe how this works. I could say your network is like a fish and each workstation is like a scale on that fish. I could compare your network to some sort of plant. I could even compare your network to a box of chocolates. But I won’t. (Plus, if you look under the lid of the box it tells you what type each chocolate is.) Instead I’m going to compare hardening your network to securing your home from burglars.
Consider the Following: A network can be thought of like a mansion. There are a lot of rooms, a lot of floors, a lot of hallways, and an obscene amount of doors and windows. For a burglar, the easiest way into a mansion is through an unsecured door or window on the first floor. That’s because, as the first point of contact between the inside of the house and the outside world, there are a lot of openings that the higher floors lack (human interaction and an active internet connection). With so many doors and windows (ports and services), it takes a lot of work to confirm that each one is secure. That’s why most mansions have a gated fence surrounding the property (a firewall). If the burglar manages to clear the fence though, then there isn’t anything stopping them from finding any unlocked door or window, walking in, and walking out with whatever they want.
Now, unlike a mansion, a network doesn’t need to aesthetically look good. So to keep those eBurglars out, why wouldn’t you just seal and board up every door and window that isn’t essential? Blocking the ports, disabling the services, and removing the applications which are unnecessary for the jobs being done is like boarding up the first floor of that mansion. The second floor (routers, departmental servers, and shared access devices) is equally vulnerable if the burglar has brought a ladder, so do the same for that floor. Another concern is that one of the mansions staff could be in on the job, so only give them access to what they need by putting locked doors in the hallways (access privileges). Finally, take all of the valuable stuff in the mansion and store it in a vault in the attic (hardened server). Computers don’t care about having to follow a long tedious process to access information, they can automate the process if they’re supposed to have access. If someone attempts to breach your systems though, then it’s like a panic room for your information.
If you’re a network admin, this might sound like a great idea, but also like a lot of work. This would require you to make significant changes to your current system, not to mention the effort required to manage so many passwords and privileges.
AuthAnvil won’t help you brick up those doors and windows, but we can upgrade them so they are only accessible to genuine authorized users. With us making the tedium of that job disappear, you can get back to more important tasks.