>_AYSOLI SECURITY HUB
THREAT AREA

Internal Admin Portals

Internal administration tools are often less secured than public portals, but offer attackers the most extensive possibilities for complete system takeover.

Your Strategy

Treat internal tools with maximum rigor. Enforce granular role distribution (RBAC) so that no administrator has more rights than necessary for their specific task. Isolate access via managed admin devices (PAW).

Best Practices

  • Authentication: Enforce FIDO2 security keys for all administrative logins.
  • Visibility: Log every change to user permissions or system configurations in the SIEM.
  • Network: Admin portals must never be accessible from the internet without ZTNA or VPN.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-ADM-01

Audit Log Erasure

Targeted deletion of traces of administrative actions.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-ADM-01

Stealthy Persistence

Unnoticed backdoors through admin privileges.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3
Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Fine-Grained RBAC / ABACBaseline ProtectionMedium
CIS: 6.2OWASP: A01:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
T1484

Domain Policy Modification

ATT&CK

Modifying domain policies for privilege escalation.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Break-Glass AccountsBaseline ProtectionLow
CIS: 6.5NIST: PR.IP-4
Privilege Escalation
T1548

Abuse Elevation Control Mechanism

ATT&CK

Bypassing mechanisms for privilege escalation (e.g., UAC).

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Fine-Grained RBAC / ABACBaseline ProtectionMedium
CIS: 6.2OWASP: A01:2021
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Defense Evasion
T1070

Indicator Removal

ATT&CK

Deliberate deletion of logs and evidence to conceal an attack.

Mitigated by
PowerShell Constrained Language ModeExtended ProtectionMedium
CIS: 2.1NIST: PR.PT-1
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
T1003

OS Credential Dumping

ATT&CK

Extracting credentials from the operating system.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
Discovery
T1087

Account Discovery

ATT&CK

Enumeration of internal accounts and group structures after initial access.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
T1580

Shadow IT Asset Discovery

ATT&CK

Finding unmanaged resources in the network.

Mitigated by
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Lateral Movement
T1021

Remote Services

ATT&CK

Use of legitimate remote services for lateral movement within the network.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Collection
T1213

Data from Information Repositories

ATT&CK

Accessing data from knowledge bases (SharePoint, Confluence).

Mitigated by
Fine-Grained RBAC / ABACBaseline ProtectionMedium
CIS: 6.2OWASP: A01:2021

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Internal Admin Portals | IT Security Checklist for SMEs · AYSOLI Security Hub