1

On Linux, we enforce least privilege through sudo. This gives the best of both worlds: Passwords and accounts are for a person, as they should be, not a role. But we lower risk and exposure by only using privileges when we need them.

Windows doesn't typically have a similar scheme, and so, for admins, there are two options:

  1. Give them two accounts (Mike and MikeAsAdmin), one for general use, one when they need privileges.
  2. Give full privileges to their one and only account.

Microsoft is now pushing #1 as best practice. I have several concerns: Having multiple accounts for the same person makes it easy to miss one when, for example, the user leaves the org. If one account won't be used much, it makes it easier for problems to go unnoticed. In general, accounts and passwords are for identifying people, not roles. And, you haven't gained much security either: If the Mike account is compromised, it will lead itself pretty quickly to MikeAsAdmin.

This question applies to anything that lacks sudo, not only Windows, but network equipment, applications, databases, cloud services, etc.: For all of these, is best practice for the admin to have a dedicated second account?

SRobertJames
  • 245
  • 1
  • 7
  • User account for network equipment? How would that work? – schroeder Jul 11 '18 at 12:35
  • A lot of network equipment is managed via RADIUS. That is, instead of having yet another username and password on your router, you tell your router to query your LDAP to find out who can log in and manage it. Then, you make certain users in your company LDAP members of the "routers-op" group. – SRobertJames Jul 11 '18 at 12:44

2 Answers2

3

The best practice is to abstract out the person from all roles. But this is difficult to perform natively, as you suggest.

The way to accomplish this is to have an authorisation layer in between the authentication process and all target processes. A "universal sudo", if you will. Products and services exist to allow this abstraction internal to your network (Privileged access management tools, like Cyber Ark and Thycotic) and externally (Cloud Service Brokers).

They all work on a Single Sign-On system and allow a user to request and receive permissions. This means the user gets one account, but dynamic access as required to target services. Most services include extra layers of analysis to granting access permissions that add extra protection to sensitive processes (like root accounts, etc.).

But if you are asking about how to accomplish the best possible practice natively, "defence in depth" is still a useful model and even though it might be possible to leverage access from one account to another, separating them means that access is not automatic. If the admin on the admin account gets hit with ransomware from a personal email, then the company goes down. If the admin was on a user account, then the damage is limited.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

I am a proponent of using two separate accounts (solution #1). Beyond preventing mistakes from self inflicted wounds it does add an additional layer for protecting against phishing attacks.

If your admin Mike is phished and has no separate account an attacker could use that to run admin level commands on your network. For example the big Sony Entertainment hack was from phished domain admin credentials: https://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/

Joe M
  • 2,997
  • 1
  • 6
  • 13