Set Up an Administrator Clean Room. It Air Gaps Your Devices and Your Staff.
Ransomware needs no introduction. It’s become the worst nightmare for System Admins and CEOs in companies worldwide.
This series of three posts offers tips and techniques to protect your organization from Ransomware and other hacking attempts. Let’s start with the most ambitious one: the Administrator Clean Room.
What is an Administrator Clean Room and Why Should Your Company Have One?
The Clean Room is a single-purpose room. It’s set up for System Administrators to do just one thing: manage production systems securely.
All other tasks performed by Sys Admins – routine ones like non-urgent research, daily communications by phone and email with bosses and clients – are all performed in a separate office. Never in the Clean Room!
This separation takes air gapping to the next level. Air gapping as widely seen today is intended to isolate all devices securing a company’s IT system from all other devices connected to its imperfectly secured local area network. It separates devices. But with the Administrator Clean Room, you create a next-level air gap isolating your company’s security-purposed devices and Sys Admins from any and all other company individuals or devices that might be vulnerable to external attacks such as ransomware, spear phishing and browser hacks.
Without an Administrator Clean Room your company is vulnerable to these outside attacks.
How the Clean Room works
All regular Sys Admin tasks are performed inside the Clean Room. These include patches, software installation and production configuration changes and resolving outages.
Only security-purposed hardware and software are allowed in the Clean Room. Just what’s needed to connect to the production servers on the critical networks that connect all production servers.
With one exception addressed below, the Clean Room has no Internet access. No browsers or email clients, USB Keys, phones or other rubbish software are allowed inside.
No PC’s are allowed inside either, only thin clients that have Terminal Services or SSH clients. You login, you administer, you log out and you exit the room.
Once outside the ACR, you have no access to the production network or System inside. Your Administrative or root passwords won’t work outside the room either.
But what about browsers needed for research purposes?
Here’s the exception. Browsers are often needed inside a Clean Room, as when a serious production problem requires on-the-spot research. The solution? Admit separate thin clients to the Clean Room with browsers set up for use only in the ACR, and using a separate network and having their own non-root passwords.
That’s it for Part I. Part II will discuss securing Windows servers. Part III will discuss Separated Networks and Separated Active Directories.