16 January 2015
I had some discussions in the past weeks about technical accounts in the administrators group. To be honest, I am a strong supporter of the ZERO administrators doctrine: Under normal conditions the administrators group of a computer has no members. If required, an account is added to the group and removed directly after the job is done. Strict implementation of a ZERO admin doctrine requires the implementation of a smart PAM solution to avoid undue delays in the case of trouble.
What really worries me is that technical accounts are always seen as privileged accounts. And that they are very often assigned to the administrators group for convenience, even though a system login is not required.
For example a technical account for querying a database needs no system privileges at all. Even a login to the application or database server is very often not required. In the best case the technical account only needs the privilege to open a database connection and to get access to a well-known set of database objects. Granting whatever system privileges to such accounts or assigning them to the administrators group enlarges only the attack surface of the system.
As always, the Principle of Least Privilege shows the direction. Grant privileges only if required, carefully evaluate if membership in the administrators group is necessary, and treat membership in the administrators group as an exception. To keep the attack surface small it’s wise to check the administrative groups for unnecessary technical accounts regularly.
Have a good weekend.
17 January 2015
If you work in the IT group of a (large) enterprise you have certainly heard statements like
- It’s often cheaper to give a user admin rights to install something versus assigning a technician to do installation work.
- I need admin rights for 24h because the installation of this software suite takes a whole working day. I can’t get my job done because the technician blocks my computer all day.
Generally IT groups quickly come forward with some tools because they don’t want to slow-down business and, very often before business puts too much pressure on them.
A very easy solution it to grant the user admin privileges for 12 or 24 hours. Procedures like the following are very popular:
- Tell the user the password of the local administrator account on the user’s computer. Reset the password after 24 hours.
- Add the users account for 24 hours to the local administrators group.
- Create a new local account with admin privileges on the user’s computer and make the login data available to the user. Remove the local account after 24 hours.
This sounds pretty secure, doesn’t it? Unfortunately all this is just window-dressing. We create potential security holes of barn door size which could be used by a malicious insider to attack the entire network.
Just some comments on the apparently secure procedures above. A user with administrative privileges
- Could create an additional administrator account for later use. This is easy to detect and to fix.
- Could grant local user rights like ‘Act as part of the operating system’ or ‘Logon as a service’ to his standard domain account. The effort to detect changes of this sort is considerably higher.
- Could change network protocol signing and encryption options. This will allow a malicious insider to hack passwords …
To be honest, there is no secure way to remove local admin privileges from a user except by reinstallation of his computer, but …
This 24h admin rights discussion is in my opinion a matter of leadership. The response of the IT leaders and the business leaders to such requests should be a crystal clear No, because we put business on risk. And the IT groups have to find ways to support the users in a timely manner.
By the way, from an economical point of view it does not make sense if highly paid experts install software on their computers. That’s just waste of creativity. Maybe this is a good argument for business leaders to refuse the next request for 24 hours admin rights.
Have a good weekend.