Managing admin rights for support staff has always been a challenge but the goal remains unchanged:
“Give staff enough access to get their job done and operate effectively without increasing unwanted risk or complexity.”
The Differences Between On-Premise and Remote Admin Rights
Supporting a remote workforce does require different best practices than an on-premise workforce. But, if an organization has the correct level of connectivity to their end users, analysts can generally support these users without the need for any changes to the security required. There are some scenarios where adjustments and new technology may be needed.
Most organizations fall into one of two categories:
VPN Connected Machines
If your organization manages machines and end users via VPN then there should be no change to how your support team operates. The workstations are essentially on the corporate network, just as they would be in the office. Remote desktop or remote control tools will operate as they would normally.
Non-Corporate Network and BYOD Devices
If your organization has a BYOD policy or uses Microsoft 365 to stay connected, then things can get a little more complicated. However, with the use of System Center Configuration Manager (SCCM) or Microsoft Intune it is possible to maintain security and provide functional support to end users without compromising security. It may take additional time to configure and setup from your organization’s current environment, but it will be considerably faster and less expensive than trying to undo damage done via a security breach or targeted attack.
Fortify Admin Rights in a Newly Remote World
It may seem like there are minimal differences between the effect of admin rights from a standard on-premise scenario to a remote scenario, but there are common pitfalls to avoid.
Here are some smart ways to ensure business continuity and manage the risk associated with remote admin rights.
1. Avoid Relaxing Policies Just to “Make It Through”
With Covid-19, most businesses had only a few weeks to address significant changes to their operations, specifically shifting to a remote workforce and everything that comes with it. The new normal of employees adjusting to remote work and requiring support for technology at home is further complicated by the fact that the service desk analysts themselves are making similar life adjustments.
To “make it through” while ensuring business continuity, sometimes the first reaction may be to relax policies and procedures put in place for the security and general benefit of the business. This is both unnecessary and very dangerous. For example, end users should not be granted special exemption for relaxing of password policies or, the worst, be given local admin access to their computers. It is tempting to provide too much flexibility during a difficult time, but one could argue that this is exactly the time to tighten up policies.
2. Have a Backup Plan for Worst Case Scenarios
IT teams are no strangers to the flexibility and advantages that remote technology provides. They are also no strangers to the complexity that it can add. But when we move to a mostly or even completely remote service desk, we must re-evaluate processes and challenge assumptions.
Your team must consider worst case support scenarios and have a backup plan if those scenarios become reality. For example, if the VPN network fails, or is not functioning, a support analyst is unable to visit the machine or user in person like they would in an office setting. In this case, having a pre-approved 3rd party remote access solution as a backup to your standard network tools may be needed to support your remote workers without delays or security concerns.
3. Capture Audit Trails and Limit Admin Access
The Service Desk utilizes many tools to diagnose and troubleshoot issues, some of which require admin rights. During normal on-premise operations it is important to audit certain activities and limit access to only the IT roles that need these tools. These considerations become vital when the service desk is diagnosing and troubleshooting from remote locations.
Your team should be setting up the proper configurations to track all actions taken by an analyst within these tools. Logging all activity using these types of tools is crucial for auditing purposes. This not only protects your team but also allows you to quickly remediate issues caused by system changes.
Limiting access to certain admin tools is also important. PowerShell, just to name an example, is a powerful tool in the hands of the appropriate resource. It is also extremely dangerous if left unchecked in the hands of an inexperienced analyst. With the example of PowerShell again, consider giving “canned” scripts to inexperienced resources. Limit them to only the harmless but useful scripts to make them a more effective resource while avoiding risk.
4. Integrate Admin Tools When Possible
Most troubleshooting tools and diagnostic methods are the same or similar across all organizations. They are usually used in disparate interfaces and don’t always communicate seamlessly with other operational systems. Analysts tend to work in these individual tools, sometimes copying and pasting information from one to another. This opens them up to mistakes, inefficiency, and vulnerability.
There are solutions like Cireson’s Remote Support product that can not only consolidate some of the most used troubleshooting tools in a single web interface but can also integrate them within your ITSM solution. In addition, actions taken can be automatically written back to the ITSM support case, removing the need for analysts to enter data manually and increasing the accuracy of the data collected for reporting and data mining at a later date. This makes these tools easier to access and more secure to use across the Service Desk.
Finding ways to ensure that admin rights are tightened instead of being relaxed is a big challenge in a post-Covid world. Tools like SCCM, PowerShell and Active Directory add tremendous value to the Service Desk, but they become even more powerful when you can audit their use and easily manage access. Follow the steps above to make sure you are protecting your organization while also empowering your Service Desk analysts. For more information on Cireson’s Remote Support solution, please reach out to our team!