17 January 2015

If you work in the IT group of a (large) enterprise you have certainly heard statements like

• It’s often cheaper to give a user admin rights to install something versus assigning a technician to do installation work.
• I need admin rights for 24h because the installation of this software suite takes a whole working day. I can’t get my job done because the technician blocks my computer all day.

Generally IT groups quickly come forward with some tools because they don’t want to slow-down business and, very often before business puts too much pressure on them.

A very easy solution it to grant the user admin privileges for 12 or 24 hours. Procedures like the following are very popular:

• Tell the user the password of the local administrator account on the user’s computer. Reset the password after 24 hours.
• Add the users account for 24 hours to the local administrators group.
• Create a new local account with admin privileges on the user’s computer and make the login data available to the user. Remove the local account after 24 hours.

This sounds pretty secure, doesn’t it? Unfortunately all this is just window-dressing. We create potential security holes of barn door size which could be used by a malicious insider to attack the entire network.

Just some comments on the apparently secure procedures above. A user with administrative privileges

1. Could create an additional administrator account for later use. This is easy to detect and to fix.
2. Could grant local user rights like ‘Act as part of the operating system’ or ‘Logon as a service’ to his standard domain account. The effort to detect changes of this sort is considerably higher.
3. Could change network protocol signing and encryption options. This will allow a malicious insider to hack passwords …

To be honest, there is no secure way to remove local admin privileges from a user except by reinstallation of his computer, but …

This 24h admin rights discussion is in my opinion a matter of leadership. The response of the IT leaders and the business leaders to such requests should be a crystal clear No, because we put business on risk. And the IT groups have to find ways to support the users in a timely manner.

By the way, from an economical point of view it does not make sense if highly paid experts install software on their computers. That’s just waste of creativity. Maybe this is a good argument for business leaders to refuse the next request for 24 hours admin rights.

Have a good weekend.