Wednesday, August 8, 2012

Stop using Administrator Account!

One of the things that drives me crazy in the IT world is the sharing and use of the administrator account. This is also a mistake people make on their home computers. System Administrators, however, know better.

Let's start with home users. A Windows 7 box from a major manufacturer will have you provide a user name at first startup. This user name becomes your defacto login and has the same rights as the administrator user.  By default, Windows 7 disables the administrator user since it generally isn't needed. This is a step in the right direction as now an attacker has to figure out your user name, as well as, your password.  In the past, you could always type in the user name " administrator" and then try different passwords with it. Apple fans will gleefully point out that Macs have done this forever (Mac uses the Unix "root" user rather than administrator).

This setup still has a major flaw. Almost everyone will still always login with the user name that has administrator rights.  This means that if you get an infection, it runs with administrator rights. It can do anything it wants. By default, Windows 7 will still prompt you to allow certain actions that affect core system files, like running a program downloaded from the Internet. Unfortunately, this feature is commonly turned off as a nuisance. If you insist upon using your administrative login for day to day computing, you should at least leave that feature enabled. The preferable solution is to create another user with non administrative rights, to use for everyday computing. From this user, any action that requires administrator rights will prompt for user name and password of a user that does have administrator rights. Now, infections will run with limited rights, if at all. Infections running under a limited user tend to be less damaging and much easier to remove.

In the IT world, it's very common to have the administrator user enabled for use in administration. Often, this administrator password is even shared among several people. This is not secure and unnecessary. I remember having several conversations with executive team members that insisted they should have the administrator password. These conversations would grow tense as the executive team member would instantly become defensive when I would tell them I wasn't giving them that password. In hindsight, it may have been easier if I didn't answer by just saying " no", which makes anyone be immediately defensive! It was interesting to me to find that even a couple of the more tech-savvy executive members seemed to feel that not having the administrator password was an affront to their authority.

There are several things at play here. First, having the administrator user enabled is sometimes unavoidable. You may be forced to use a software that is poorly written and requires the use of the administrator user specifically.  Using such a software should be avoided. Secondly, if multiple users use the same login, be it the administrator user or any other user, you will have a hard time tracking who did what. Perhaps a directory with extremely sensitive data, payroll for example, is suspected to have been accessed by someone that shouldn't have rights to access it. You go into the logs to find that the user "administrator" gave itself permissions to access the directory and five people know the password to the administrator account. Which of the five people was it?  Sharing the administrator account password is common in the IT world, in my experience, and I'm not sure if it's a lack of knowledge, not caring, or simply laziness. In the SMB space it seems to be common to have only one or two systems administrators with possibly a third person, with administrative rights, as a backup. If giving all of these people full administrative access is really what you want to do, the least you can do is add each user to the administrators security group. This way they can each log in as themselves to perform administrative duties and the log will reflect what each is doing. If you have a help desk group, you may not want each of them to have full administrator rights. In this case, use the help desk security group and add role-based permissions to it. Add your help desk personnel to the help desk group. This gives them rights to do specific administrative tasks only.

The last thing at play to consider is the egos of executive team members.  Some executive team members will feel that it's their right to have the administrator account password or administrative rights. It's important to communicate with them why they don't need the password or rights. Let them know they will have access to all the data they will need, you just don't want them to unintentionally break something.  Executive team members are also the main targets of spear phishing attacks. If their account becomes compromised, you definitely don't want the attacker to have administrative rights.

No comments: