What’s your best strategy for safely giving non-technical teams access to server resources without compromising security?

[-]

Life-Fig-2290@reddit

Why do non-technical users need access to server resources outside of their basic daily functions? Least access is the answer. Build DL groups that grant granular access Build Global groups to group people together with common roles. Put the Global group in the appropriate DL groups.

Reply

[-]

jdptechnc@reddit

Please define "server resources"

Reply

[-]

GarageIntelligent@reddit

yall dont down vote questions like this?

Reply

[-]

DarthPneumono@reddit

Lot of people are very confidently answering a very vague question

Reply

[-]

woodsbw@reddit

This. That could mean anything from a file share to full admin access.

Reply

[-]

DiabolicalDong@reddit

Use a PAM solution to give restricted and strictly monitored access. These solutions come with the option to rotate credentials after access. Use that. You may look into Unified PAM solution to get endpoint privilege management facilities along with PAM. These go even further to restrict user privileges on endpoints and servers. You can grant access without admin rights using this method

Reply

[-]

One-Environment2197@reddit

PAM and JIT access. Have users go through a privileged access management tool that records their session and can do ephemeral access through an approval workflow.

Reply

[-]

Status-Theory9829@reddit

bonus if you can control the specific commands that execute during their sessions or provide runbooks so they don't ever even need to script

Reply

[-]

slowclicker@reddit

Group policy

Reply

[-]

stufforstuff@reddit

Simple - Don't. They are like any other user that "thinks" they need direct access to your companies most prized asset - AINT GONNA HAPPEN.

Reply

[-]

sudonem@reddit

Use RBAC in order to follow the principle of least privilege. No blanket accounts, no admin privileges. Permissions are denied by default, and users are granted access to exactly what they require to do their job and nothing else. Users and mangers need to actually request permissions and justify each. Yes it is time consuming and tedious. Yes the users will hate it. Do it anyway. It’s much harder to clamp down on those permissions over time than it is to open them up slowly on an as-needed basis.

Reply

[-]

Optimal_Law_4254@reddit

If you really use RBAC then users (including managers) can request changes to job functions (roles) rather than “full access to the widgets folder”. If someone is asking for permissions then they’re not in the right role or the role permissions need adjustment.

Reply

[-]

sudonem@reddit

Yes exactly. That’s what it should be. The challenge is always that setting it up means someone needs to actually take the time to make an analysis of exactly what those perms need to be and that’s often tedious so managers/supervisors usually just hand wave it because that’s easier. 😑

Reply

[-]

Optimal_Law_4254@reddit

Yup. When we redid our ad from scratch, I got buy in at the start but was quickly told that it would take too long. My arguments about the up front costs in time versus the costs to fix and audit access for individual permissions fell on deaf ears.

Reply

[-]

dghah@reddit

welcome to scientific/research computing and HPC where this need is a #1 requirement covering many millions of dollars in petascale storage systems, huge GPU servers and tens of thousands of CPU cores! I can't honestly answer your question in an enterprise context because in research these systems are "digital laboratories" and the end-users need to be able to somewhat control and manage their "laboratory" so this requires a different infosec and ops stance than something that IT can argue is a just a basic enterprise endpoint system with defined requirements. Basically it's a requirement that end-users have more access and more freedom than on standard servers. of the many methods here are some common ones I see all the time \- MFA on all the things (logins) and a lot of monitoring over service accounts and "end-user automation" \- Log shipping away from the systems the non-technical people are on \- Users with automation accounts are never allowed to login directly as the service user. They must login as "themselves" and then sudo to the automation service account so there is an audit trail \- Training, training, training and a solid Acceptable Use Policy. First time you violate policy you get an email warning; second time the warning is CCd to your manager. 3rd violation and you lose your system access and HR/mgmt is involved until you re-train and re-sign the AUP. \- VLAN isolation and firewalls that do https intercept and content screening \- Blocking internet software repos (CRAN, PyPI, etc.) and using jfrog or nexus style caching repos where security rules can be applied to open source packages. Github destinations allowed on a destination by destination basis. \- Very good backups and 100% end-to-end provisioning and config management. If a scientists wedges or breaks a system we don't repair their hack job, we simply wipe and redeploy. This is the "social contract" part between IT and the users -- in exchange for "more freedom" they understand that IT is not gonna move mountains to fix what they broke. When explained well this system works among all stakeholders \- Biggest commonality is next-gen EDR like Crowdstrike or whatever. For systems with a lot of non-technical users you need behavior based security software, not signature based malware/AV \- custom sudo rules or on the cloud (AWS) we write custom SSM Automation Docs if needed for users to invoke

Reply

[-]

pdp10@reddit

> - Blocking internet software repos (CRAN, PyPI, etc.) and using jfrog or nexus style caching repos where security rules can be applied to open source packages. Github destinations allowed on a destination by destination basis. This is the way. The rest of it, too, but I want to draw attention to this one for those who want or need Reproducible Builds.

Reply

[-]

iliekplastic@reddit

Segment, segment, segment, that's what it's all about.

Reply

[-]

ImCaffeinated_Chris@reddit

I would party with you. Good list!

Reply

[-]

serverhorror@reddit

Research (scientific research) in an Enterprise setting works nearly the same way. We compartmentalize by restricting access to the data sources in a, more or less, meaningful way. That allows them (a lot of) freedom for the compute and software resources, but no uncontrolled access to the data

Reply

[-]

macbig273@reddit

non-technical ? so nothing like ssh, or remote terminal I assume. Documentation or data ? maybe ?. FTP or online sharing thing.

Reply

[-]

Coffee_Ops@reddit

Make sure that RBAC groups come with deny permissions. You have local admin? Then you don't get log on a service, and you're in protected users. You have access to tier 1 resources? Then you're denied access on client workstations. If you don't make trade-offs like this, people will just use their highest privileged account at all times.

Reply

[-]

SinTheRellah@reddit

Don't give them local admin.

Reply

[-]

honnymmijammy-@reddit

But, he's my boss? And he do know how to send a mail

Reply

[-]

txaaron@reddit

He only knows if you provide the envelope and stamp. Email is witchery!

Reply

[-]

ek00992@reddit

A lot of great advice here. At the end of the day, you need to make your methodology fit their workflow just as much as anything else. If it’s a critical part of their workflow and you make it difficult/inconvenient, they’re going to seek insecure ways of making it feel more “efficient”. No compromises, but know your end user.

Reply

[-]

sashalav@reddit

The best option is just don't. That does not always fly, so the alternative is giving them non privileged accounts that have access to nothing but own home folder. In that case, make sure they do not use some kind of shared account, but own personal ones. Make sure passwords need to be renewed in 30 days for those accounts. Personal accountability and inconvenience will stop them from ever using them.

Reply

[-]

pdp10@reddit

> In that case, make sure they do not use some kind of shared account, but own personal ones. This is a compliance issue. The other party will likely push back and want to share accounts, but the key is to use this impedance mismatch as a entree into negotiations about what they *really* need. Since they can't have a generic account like they want, their next best option is to tell you what they really need -- like HVAC data and logs pushed to them -- and work together to make that happen.

Reply

[-]

pdp10@reddit

The Principle of Least Privilege applies everywhere. You do a discovery to find out what they say they need, and why they say they need it. You document what they say. Then you negotiate from that starting point. HVAC vendors make for a good example. Do they deserve to get data pushed to them from the systems so they can monitor, respond quickly for repairs, and do proactive maintenance? Absolutely they deserve data. Do they need "tunnel-in" remote access to get that information, or to make changes? Almost certainly not. Remote users shouldn't have any purpose to making remote changes to temperatures, and anything important requires them to come on site anyway. Or WiFi. In certain situations, maybe industrial, a team may want to run their own WiFi infrastructure separate from the existing enterprise system, for their convenience. Not only does this have infosec implications, but it also can easily affect other WiFi, even other 2.4GHz systems like Bluetooth, proprietary peripherals, and so forth. Any such system would probably quickly become "Shadow IT".

Reply

[-]

ZAFJB@reddit

What resources? Other than file access, and web access where appropriate, they get nothing.

Reply

[-]

iliekplastic@reddit

What do you mean by server resources? Like always you follow the least privilege principle, give them the minimum access they need after carefully assessing whether or not they actually need it.

Reply

[-]

Trbochckn@reddit

RBAC and JIT access

Reply

[-]

NETSPLlT@reddit

Give them the documented access they need, and no more. Ensure there is logging in place. If you don't have any sort of granular control, start there? They shouldn't just be a full admin and able to do everything.

Reply

[-]

desmond_koh@reddit

What does "server resources" mean? We have non-technical users who use our servers all the time. They access file shares, run web-based ERP, CRM and othe LoB apps, and run reports. Most of them don't know or think of it as "accessing server resources". They just think of it as doing their job. If you're asking how you can give an unqualified individual administrator access to server without compromising security, then the answer is you can't. Period.

Reply

[-]

my-beautiful-usernam@reddit

Principle of least privilege?

Reply

[-]

itmgr2024@reddit

Why would a non-technical person need access to a server? To do what?

Reply

[-]

HappyDadOfFourJesus@reddit

If you're talking about giving them console access, the short answer is that we don't. If they need to access a server, they submit a ticket, then we initiate a monitored remote session to the server and watch everything they do.

Reply

[-]

mdervin@reddit

frequent, well tested backups.

Reply

[-]

serverhorror@reddit

Don't. They rarely need "console access", have a system where they can access reports, or -- if they need a specific program -- set the shell to that program (or some form of VDI)

Reply

[-]

Friendly-Rooster-819@reddit

One strategy that’s worked for us is setting up a secure intermediary layer. Instead of giving direct access to the servers, we route requests through a secure interface that enforces strict policies and monitoring. This adds an extra layer of security without complicating access for non technical users. ActiveFence offers solutions that facilitate this kind of setup.

Reply

[-]

GloxxyDnB@reddit

Using a passwordless solution like Keeper Connection Manager with Keeper Password manager. We use it for all non technical and 3rd party connections to our servers and it even records their RDP sessions too.

Reply

[-]

Scrug@reddit

Your question is insanely vague. But I'll assume that you mean remoting in. At my org RDP access is highly restricted, you need a separate account for access. That account only has user level access to the servers that you need to use, and only through a jumphost. We use Beyond Trust to manage all of this. Also RDP traffic is blocked between all subnets except to/from the jumphost.

Reply

[-]

Anonymous1Ninja@reddit

You have them on boarded as consultants, then manage their access via ILTs and GPOs like you are supposed to.

Reply

[-]

d0nd@reddit

They have cert access but don't access prod no matter what. They get logs from prod though.

Reply

Reply to Post

43 Comments