Protecting PCI Data from Domain Admins

One of the realities of Windows domain administration is that virtually every organization of any size can run afoul of the principle of separation of duties (also called segregation of duties).  This principle manifests in multiple ways; for example, it could mean that an employee who can create an invoice in a billing system should never have the ability to audit the creation of said invoice.  Or, in what is probably the single most common violation of this principle in Windows domain administration today, it could mean that a very high percentage of your domain admins who have zero business justification for access to sensitive and regulated data do, in fact, have access to your sensitive and regulated data.

This is a near-perfect example of why the “least access” privilege model is required by regulatory compliance acts designed to protect consumers and businesses from exposing sensitive data, e.g. credit card (PCI) or health care (HIPAA) or financial (MAS) data.

Let’s look at a simple use case for a financial organization.

The organization has, for simplicity’s sake, two types of Windows Servers: Domain Controllers and member servers that hold PCI-regulated data.

Members of the Windows Domain Admins group have full ownership over every machine in the domain, including those servers that hold PCI-regulated data.  This is not what the organization wants.  It wants the DBA’s and owners of the PCI data to own those machines.  There’s nothing on them that require domain admins to administer.

But everyone in that Domain Admins group has full ownership of those PCI servers in a native Windows environment.  (And whenever they log into those servers, they run the risk of leaving their credential hash in-memory as a potential vector for an APT.)

Unless you deploy Centrify Server Suite.

Server Suite enables you to restrict your domain administrators from having access to your PCI servers, while giving them full privileges on your Domain Controllers.  This protects your PCI data from internal employees who have no business justification for access to the PCI servers, while enabling your domain administration team to manage your Active Directory deployment using their standard AD tools, such as ADUC, the DNS management console, and so on.

In the scenario illustrated below, Centrify helped a major financial organization separate domain administration from access to regulated PCI/SOX data on domain member servers.  In Figure 1, we see the way it used to be – the way that it failed regulatory audit.  All domain admins have access to the servers holding regulated data.


Protect Regulated Servers before.png

Figure 1 – All domain admins have complete access to regulated servers

In Figure 2, the problem was solved by using the Centrify Server Suite agent to enable Matt to be a domain administrator when he logs into a domain controller, but a domain user everywhere else.  This denies Matt any access to the regulated data on the PCI/SOX servers, since he has no administrative privileges on those servers.


Protect Regulated Servers after.png

Figure 2 – Regulated data is protected from domain admins


Another approach supported by Centrify Server Suite is to restrict login privileges – local and/or remote – to a subset of the administrator population.  The Centrify Agent can deny login privileges to anyone you specify, even if that user is a domain administrator.

In effect, you have a choice to implement whitelist or blacklist approaches using Centrify Server Suite for this type of problem: the former denies access everywhere except where you allow it, and the latter enables access everywhere except where you deny it.

The whitelist approach, of course, has the added benefit of eliminating the generalized domain administrator login credentials in-memory on the various Windows servers, which also eliminates the attack vector that an APT might otherwise use to gain control over the network and its resources.  Fertile ground for another post, I think.

In summary, there are multiple ways that Centrify Server Suite can help protect regulated data from domain administrators and enforce the separation of duties required by regulations and auditors.

You can learn more about Centrify Server Suite here.

(This post is dedicated to my friend and colleague Ben Rice, who wants more solution-oriented content in these posts.  Ben, I hope this meets with your approval!)