Blog / Shunning Shared Administrator Accounts
One of the most effective ways to compromise anything is to misuse the authority of those in charge. This applies to politics, business, computers, or anywhere with an hierarchy or authority structure of any kind. Any secure environment should have some kind of authentication, double-checks, or other additional measures to prevent both accidental and intentional misuse of authority.
When it comes to computers and information technology, the permissions associated with your user account determine what features of your computer or applications you can access. Unfortunately, too many people and businesses fall into the habit of sharing high-level accounts and permissions. That’s why today we’re going to look at two different but important questions. Why should shared accounts be avoided and why is the use of administrator accounts frowned on so much?
We’ll tackle the question with the shorter answer first: Why should shared accounts be avoided?
There are two main reasons for shunning shared accounts, first and foremost being the audit trail.
Having an appropriate level of logging enabled to follow users’ activity is an essential part of securing your computers and applications against misuse. If high-level features permissions are linked to the activity of a specific user account and that account is shared by multiple people then there’s no way to determine who did what. Everyone who has access to the credentials for that account now has plausible deniability, so without an eye witness to the misuse event, your investigation has come to an end before it even started..
The second reason is for manageability.
What happens when an employee leaves or is terminated? All of a departing employee’s user accounts should be removed or disabled so they no longer have access to corporate resources, but you can’t do that with a shared account because now you’ve cut multiple other employees off from it. Even if you just change the password you need to communicate it to multiple people, which complicates the situation. Always remember the K.I.S.S. principal (Keep It Simple, Stupid)
Now don’t get me wrong— a shared account can be a solution in some rare situations. However, most of the time this is not the case. Understanding the limitations of auditing and managing means shared accounts should be used sparingly and have access levels that are heavily restricted when they are used. If a user expects to be able to do anything beyond simple web surfing then they should expect to log themselves in.
Now for the bigger question: Why is making use of an Administrator account such a big deal?
Simply put, it’s because an Administrator level account can do anything. The fact is most of actions you wind up taking on a computer don’t actually require administrator level access. The only time someone should login as an Admin is when they legitimately require that level of access.
As with most things, managing administrative access is a question of addressing worst case scenario possibilities. What could happen if someone misuses Administrator level access, or simply makes a mistake? It depends on the computer, application, or website, but for one, all your information could get destroyed. It doesn’t matter if we’re talking about Windows users or access to some other system, an Administrator has full access and can alter settings, erase or copy information, and worse. We don’t want to preach fear, but you need to treat administrative rights with a certain degree of healthy paranoia when enabling access.
Every organization should make sure they are asking the appropriate questions when it comes to access and logins for their employees.
- Is Administrator access limited to those that NEED it to do their job?
This includes administrator access to all devices and resources (not just windows logins). - Are you monitoring administrator access?
- Is there a proper/useful audit trail?
- Is there a proper record of user accounts?
- Is there a procedure for offboarding an employee that ensures all access is promptly removed?
- What are your regulatory requirements for log storage?
Logs start to take up space quickly so storage costs can become a consideration.
These are not simple yes/no questions. In order to give an accurate and truthful answer to any of them you need accurate records of your various systems and users. It’s not as simple as disabling an active directory user (especially if they the person is part of your IT department). You need to be aware of everywhere that has a user login, which means firewalls, switches, VPNs, cloud accounts, databases, cameras, printers, NAS devices, and anything else with a login portal. You can’t remove an employee’s access properly unless you know everything they have access to.
As ever, Shakespeare has something I feel applies to this. Specifically from Henry IV, Part II, Act 3, scene 1: “Uneasy lies the head that wears a crown.”
If you have any questions about account permissions, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind,
Courtesy of Your Friendly Neighbourhood Cyber-Man.