There is a good chance that if you asked a Linux administrator if they log onto their workstation with “root” you would get a very confused response. Why is this?
Root is essentially logging onto the system as the administrator: root has all the power, and anything that needs to be changed can be done as root, including breaking the entire system. Linux administrators rarely use root unless necessary. Their daily work is done with an account that has normal user privileges.
Surprisingly, this same respect for the administrator account does not always exist with Windows administrators. They may not log into the computer as “administrator,” the default Windows administrator account, but most likely with their own account that has the same privileges. If you ask a Windows administrator if they use two accounts, one privileged and one a normal user, the common answer is no.
Why is it important for administrators to have a normal account?
An account with administrative access has the power to make changes to a system. Those changes may be for good, such as updates, or for bad, such as opening a backdoor for an attacker to access the system. While an administrator would hopefully not do anything nefarious to his/her company’s systems purposefully, the act of using administrative accounts for daily activities can lead to just that.
When penetration testers are attempting to compromise a system, they are looking to “gain admin.” This is no different from a malicious attacker who also wants to gain administrative rights to a system or, even better, a network.
Allowing a systems administrator, especially one with Domain Administrator privileges, to access his/her e-mail and the Internet via their administrative account makes it easier for attackers to introduce malware via a phishing attack or gain those credentials by using impersonation, which is a very common attack in the Microsoft Windows environment.
What can be done to prevent account compromise?
When an organization is creating accounts and roles for its employees, most are familiar with the concept of least privilege, which is the idea of giving an individual access within the system to do only what is needed to fulfill the individual’s job duties.
For example, the mail room clerk is not going to be given access to payroll and engineers will not have access to Human Resources files. This logic needs to apply to Windows administrators as well.
When a person is logging into a workstation to do normal daily work, such as checking e-mail or surfing the Internet, or even troubleshooting, they should log on as a typical user. Then, when job circumstances require the individual to have privileged access, they should switch to a separate, privileged account to perform those tasks in the system.
Microsoft Windows has an option to allow commands to be run as an administrator with separate authentication if it is needed. This does several things:
- it ensures an administrator does not inadvertently make a change without knowing that is an administrative change (it does happen);
- it ensures the administrative credentials are only used for administrative tasks and
- it ensures that use of administrator privileges is appropriately logged within the system as evidence of the work performed.
How do you implement two separate accounts for administrators?
The hardest part of implementing privileged and non-privileged accounts for administrators is push back from the administrators themselves. They may make statements about two accounts slowing down their work or making them less productive, when in fact they already log into multiple systems a day and some systems may require different login credentials anyway, so one more login will not affect their productivity significantly.
The time and money it could save in dealing with attacks or mistakes made while using an administrator account would be less than a minor inconvenience in the short term that will become second nature in the long term.
They may also say it is impossible to do certain tasks, but that is not an excuse to always use administrative accounts for all activities. In fact, Microsoft introduced the “run as Administrator” option way back in Windows XP. It is still a feature in Windows 10, and it has been expanded upon to increase the protections around Administrator accounts.
Many administrators just want more control of their systems. However, the systems belong to the organization they support and need to be protected in the same way as a server especially since the administrator has direct access to more sensitive components on the network and using the same username and password combination weakens any security that is in place.
Start moving to the use of non-privileged accounts for all users, not just your standard employees, as soon as possible.
Many of the companies who turn to LBMC for penetration testing also take advantage of one or more of our other information security services—from risk assessments to intrusion detection and prevention. By sharing information across functional areas, we are able to ensure that our testers stay on top of the latest attack techniques, emerging threats, and creative defenses, which improves our assessment and testing techniques and the quality of the resulting threat intelligence we provide to our clients.