ASD's Blueprint for Secure Cloud

Restrict Administrative Privileges

This page provides a template and guidance to assist organisations in documenting their approach to restricting administrative privileges, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Applicability

The Restrict Administrative Privileges mitigation strategy is applicable to restricting and hardening all administrative access used for any components of <SYSTEM-NAME>.

Maturity Level

Targeted:<TARGET-LEVEL>
Currently Assessed:<ASSESSED-LEVEL>

Implementation

Privileged access requests

<DETAIL PROCESSES FOR PRIVILEGED ACCESS REQUESTS AS APPROPRIATE>

Operating environments

Unprivileged operating environment

<SYSTEM-NAME> standard workstations utilise Microsoft Entra ID as the source of identity and access management, and Conditional Access prevents privileged accounts from logging on.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Privileged operating environment

<SYSTEM-NAME> utilises dedicated Secure Admin Workstations for privileged users.

These workstations utilise Microsoft Entra ID as the source of identity and access management, and Conditional Access prevents unprivileged accounts from logging on.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Privileged access

Privileged accounts for <SYSTEM-NAME> users are accounts are restricted from accessing the internet, email and web services, and are only able to access relevant Microsoft management portals.

Furthermore, these accounts have appropriate Role Based Access Control applied, with just-in-time administration required for each role to be granted to privileged users.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Management of credentials

<SYSTEM-NAME> provides a central identity store that governs and grants all user access prior to accessing resources on the system. Users are assigned specific user roles according to their business requirements.

Credentials for Break Glass Accounts, local administrator accounts and service accounts are required to be a minimum of 30 characters, uniquely and unpredictably generated, and managed in accordance with the <SYSTEM-NAME> System Administration Process and Procedures, including ensuring that all service accounts are created as Managed Service Accounts.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Protecting credentials

<SYSTEM-NAME> implements the following required protections for user accounts:

ProtectionConfigured
Memory integrity<YES>
Local Security Authority protection<YES>
Credential Guard<YES>
Remote Credential Guard<N/A>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Logging

The collection of event logs for monitoring of <SYSTEM-NAME> is performed in accordance with <ORGANISATION-NAME>’s Event Logging Policy, and includes the aggregation of the following logs into Microsoft Log Analytics:

Event (Entra ID)Forwarded to Log Analytics
Privileged access:<YES>
Privileged account management:<YES>
Privileged group management:<YES>
System / ServiceEventForwarded to Log Analytics
Microsoft 365 services:Privileged access event<YES>
Workstations:Privileged access event<YES>
<Internet-facing servers>:Privileged access event<YES>
<Non-Internet-facing servers>:Privileged access event<YES>
<OTHER-SERVICE-1>:Privileged access event<YES>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Monitoring and response

<SYSTEM-NAME> utilises the Microsoft 365 Defender portal and <SIEM-PRODUCT> to assist in the identification of cyber security incidents.

This includes the processing, analysis, and response to the following event logs in a timely manner:

EventWorkstations<Hybrid servers>
Privileged access:Yes<Detail implementation>
Privileged account:Yes<Detail implementation>
Group management:Yes<Detail implementation>

<ORGANISATION-NAME> has established a Security Operations Centre (SOC) to analyse cyber security events in a timely manner, and a Cyber Security Incident Register, and Incident Response Plan to facilitate the response to detected cyber security events in a timely and appropriate manner. This plan includes reporting all incidents to the <ORGANISATION-NAME> CISO and to ASD in a timely manner.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra