Implementing the "Just-enough Privilege" Security Model

by Tom Martzahn
Sept. 1, 2017 0 comments SANS Institute system administration

This paper discusses some of the challenges associated with migrating a large, widely distributed Windows NT environment with widespread administrative access for the application and server support personnel to a native Windows 2000 environment which embraces the philosophy of the “Just-enough privilege” (JeP) security model to complete assigned job responsibilities. I’ll define the concept of Just-enough Privilege within the scope of this migration, briefly describe the old environment, outline some perceived benefits of moving to this security model, discuss the challenges and roadblocks of implementing the JeP Security model, and provide some real-life examples of how to limit widespread administrative authority on Windows 2000 servers for tasks that are commonly perceived to require administrative privileges to complete. This paper depicts experiences with migrating from a Windows NT environment, but the strategies discussed to implement JeP can be applied to an existing...