Meeting With IT To Discuss Admin Rights On Our Machines

Some software requires admin permissions to run.

There are often frequent updates to VMS and other software/tools, which require admin permission to install.

Tech support will need admin permission to troubleshoot, etc. in case you need to call in.

Best practice is to follow the principal of least privilege which boils down to giving only as much permission as is required for an application or user to perform their job.

Probably in part due to the migration from CCTV to a more IT-centric approach to managing video surveillance, most of the time people are just installing everything with full admin rights.

The risk is that if the application itself is compromised by a vulnerability, an attacker may be able to execute code with the same level of permission as the application. I have seen many people run the software under a domain admin account. This is pretty much the worst-possible choice as the attacker effectively gets full reign over the entire network/domain at that point. They can jump to any server or workstation they want, they can cryptolock your files, whatever they feel like.

Ideally you should only elevate permissions when required (during installation, upgrade, or maintenance), and honestly even then it's okay to question why elevation is necessary.

With Milestone software for example, you don't need to run the software under a local administrator account. By default it runs under Network Service which is not a member of the local administrator group by default. But you need to be a local administrator to perform the installation, and currently you need sysadmin rights on the SQL Server during installation as we need to install some custom error codes into the master table. After that, you can be dbo just for the Surveillance and SurveillanceLogServer databases for example.

Every software is different though and you need to contact your vendor(s) and request their hardening guide and/or their recommendations.

Tony,

Our team manages a very large collection of enterprise servers and hundreds of client machines for access control, video security and other systems. We work through these type of access issues almost on a daily basis.

Several years ago, we approached the IT group and requested two local machine administrative groups. These are not my actual groups but as an example:

Your_Domain/Access Control Admins
Your_Domain/Video Management Admins
Your_Domain/Central Station Admins

Those groups could include any direct employees and contracted integrator technicians that service your systems that have network credentials.

Of course the business justification is to allow administrators and technicians to install, service, maintain and upgrade security related applications and select hardware. In addition, explain that it also allows you to service your internal customers (security officers, security managers, etc).

Also, let them know that you may need service accounts and application accounts in some cases.

I would also emphasize that your group is only responsible for your security applications and that you acknowledge that they are in full control of their servers, network permissions, patching, etc. (at least that's how we are set up).

In every project involving servers & client machines OR whenever server and client workstations are replaced, we request that these groups be added to each server or workstation. With this practice, we can continue to take care of our applications and hardware without delay.

We always have spare client workstations ready to go and it works very well for us. For example, we might have an officer who monitors video and access control at their post. If their workstations fails it may get repaired or replaced. I can set up a spare within the hour to get them back up and running. In the mean time, the original workstations is repaired or re-cored and it comes back to me with my local admin groups on it. someone from our team will install Lenel, Milestone, etc. and put it back in reserve as a spare. This would not work without the local admin groups and the partnership with our IT department.

Joshua is right, the best practice is to follow the "principle of least privilege". Make sure they know you understand this.

If you can go to IT and "talk the talk" using the advice in this thread you will get what you need!

Contact me if you would like to compare notes.

Great information from all of you. Thank you very much.

Hey Tony. Does your IT Department have security segmented into its own portion of the VLAN?

We have our own physically separated network for security devices and computers, own VPN's to the branches, etc. So, no problem with IT :)