2

Scenario:

Person A's normal computer account is personA. They have locked this out with too many bad password attempts. The user is part of the IT group, so they also have an admin account: personA-admin.

They use this admin account to unlock their standard account. On the windows event log, it shows as personA-admin unlocked personA

Question: Is this ok?

I say no because someone else should be unlocking it. I'm thinking along the lines of separation of duties, privilege escalation maybe etc. My colleague says yes because they're not gaining any additional privilege over what they have right now...

BeckyG
  • 21
  • 1
  • 5
    If the person still has an admin account, I see no potential problems in them using it to unlock a standard account belonging to themselves. It does not open any new vectors for privilege escalation, and in my mind it's not really what seperation of duties is about. – Henrik supports the community Aug 14 '19 at 15:57

1 Answers1

4

Let's examine why this person has multiple accounts - the general explanation is that there should be an additional barrier to access administrative functions, reduce logins to that account, etc (https://cloud.google.com/resource-manager/docs/super-admin-best-practices). You can consider their admin account their 'primary' account (even though it's not the one they use day-to-day) as it's what matches their role. Nothing else they can do on their admin account has to be done by someone else.

Resetting your own password via your admin account isn't poor practice. Getting locked out of an account that should be your day-to-day account is a potential yellow flag. There are no separation of duties between these accounts - this person is presumably allowed to perform the actions in their admin account. There is also no privilege escalation - the lower level account is a best practice, and not a reflection of the user's permission level.

Buffalo5ix
  • 2,636
  • 12
  • 18