IT Security Matters

Klaus Jochem

Skip to content
  • Home
  • About me
    • About me
    • Copyright and Disclaimer

How to create security holes? 24h Admin Rights for Users

17 January 2015

If you work in the IT group of a (large) enterprise you have certainly heard statements like

  • It’s often cheaper to give a user admin rights to install something versus assigning a technician to do installation work.
  • I need admin rights for 24h because the installation of this software suite takes a whole working day. I can’t get my job done because the technician blocks my computer all day.

Generally IT groups quickly come forward with some tools because they don’t want to slow-down business and, very often before business puts too much pressure on them.

A very easy solution it to grant the user admin privileges for 12 or 24 hours. Procedures like the following are very popular:

  • Tell the user the password of the local administrator account on the user’s computer. Reset the password after 24 hours.
  • Add the users account for 24 hours to the local administrators group.
  • Create a new local account with admin privileges on the user’s computer and make the login data available to the user. Remove the local account after 24 hours.

This sounds pretty secure, doesn’t it? Unfortunately all this is just window-dressing. We create potential security holes of barn door size which could be used by a malicious insider to attack the entire network.

Just some comments on the apparently secure procedures above. A user with administrative privileges

  1. Could create an additional administrator account for later use. This is easy to detect and to fix.
  2. Could grant local user rights like ‘Act as part of the operating system’ or ‘Logon as a service’ to his standard domain account. The effort to detect changes of this sort is considerably higher.
  3. Could change network protocol signing and encryption options. This will allow a malicious insider to hack passwords …

To be honest, there is no secure way to remove local admin privileges from a user except by reinstallation of his computer, but …

Wrong Way!

Wrong Way!

This 24h admin rights discussion is in my opinion a matter of leadership. The response of the IT leaders and the business leaders to such requests should be a crystal clear No, because we put business on risk. And the IT groups have to find ways to support the users in a timely manner.

By the way, from an economical point of view it does not make sense if highly paid experts install software on their computers. That’s just waste of creativity. Maybe this is a good argument for business leaders to refuse the next request for 24 hours admin rights.

Have a good weekend.

Share this:

  • Email
  • Print
  • LinkedIn

Related

This entry was posted in Opinion, Survival tips and tagged 24h Admin Privileges, admin privileges, admin rights, administrative privileges, administrator account, maliciuos insider on January 18, 2015 by Klaus Jochem.

Post navigation

← Reducing the Effectiveness of Pass-the-Hash – A NSA/CSS Report Fun with 24h Admin Rights →

Technology and more

  • 4 Elementary IT Security Design Principles

Endnotes

  • SRM Blog Information Security Breach Reports
  • [1] Frequently Asked Questions on eBay Password Change
  • [2] Ponemon Institute, Cost of Cyber Crime Study: United States 2013
  • [3] Hashed Passwords – Crack The Cred
  • [4] Important Information – Office Passwort Reset
  • [5] Reducing the Effectiveness of Pass-the-Hash

Tags

  • administrative privileges
  • anti-malware
  • AppGuard
  • Attack Surface
  • critical infrastructure
  • Cyber Attack
  • data breach
  • Endpoint Protection
  • Malware
  • Phishing
  • Principle of least privilege
  • Ransomware
  • Remote Code Execution Vulnerability
  • Separation of Duties
  • strong passwords
  • Two factor Authentication
  • UAC
  • Vulnerability
  • WannaCry
  • Zero day exploits

Archive

  • August 2020 (2)
  • June 2020 (4)
  • May 2020 (4)
  • April 2020 (1)
  • March 2020 (3)
  • January 2020 (1)
  • December 2019 (1)
  • November 2019 (1)
  • October 2019 (1)
  • September 2019 (2)
  • August 2019 (3)
  • July 2019 (2)
  • June 2019 (1)
  • May 2019 (2)
  • April 2019 (1)
  • March 2019 (3)
  • February 2019 (1)
  • January 2019 (2)
  • December 2018 (1)
  • November 2018 (2)
  • October 2018 (2)
  • September 2018 (1)
  • August 2018 (2)
  • July 2018 (1)
  • June 2018 (3)
  • May 2018 (2)
  • April 2018 (3)
  • March 2018 (3)
  • February 2018 (3)
  • January 2018 (3)
  • December 2017 (1)
  • November 2017 (3)
  • October 2017 (6)
  • September 2017 (1)
  • August 2017 (1)
  • July 2017 (5)
  • June 2017 (2)
  • May 2017 (5)
  • April 2017 (4)
  • March 2017 (3)
  • February 2017 (3)
  • January 2017 (2)
  • December 2016 (2)
  • November 2016 (5)
  • October 2016 (8)
  • September 2016 (4)
  • August 2016 (4)
  • July 2016 (6)
  • June 2016 (4)
  • May 2016 (4)
  • April 2016 (5)
  • March 2016 (6)
  • February 2016 (9)
  • January 2016 (7)
  • December 2015 (2)
  • November 2015 (6)
  • October 2015 (4)
  • September 2015 (4)
  • August 2015 (5)
  • July 2015 (6)
  • June 2015 (6)
  • May 2015 (9)
  • April 2015 (8)
  • March 2015 (8)
  • February 2015 (8)
  • January 2015 (10)
  • December 2014 (4)
  • November 2014 (9)
  • October 2014 (9)
  • September 2014 (9)
  • August 2014 (10)
  • July 2014 (10)
  • June 2014 (5)

Blogs I Follow

  • Jaya's Blog
  • Ponder Younder
  • TIME GENTS
  • Crowdbase Blog
  • It's More Than Tea

Subscribe

RSS Feed

Create a free website or blog at WordPress.com.
Jaya's Blog

Ponder Younder

Read, think more and Act on what you read

TIME GENTS

Australian Pub Project

Crowdbase Blog

A blog about knowledge sharing, collective intelligence and enterprise collaboration.

It's More Than Tea

jill's tea blog

Cancel
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy