There is a good chance that if you asked a Linux administrator if they log onto their workstation with “root” you would get a very confused response. Why is this?

Root is essentially logging onto the system as the administrator: root has all the power, and anything that needs to be changed can be done as root, including breaking the entire system. Linux administrators rarely use root unless necessary. Their daily work is done with an account that has normal user privileges.

Surprisingly, this same respect for the administrator account does not always exist with Windows administrators. They may not log into the computer as “administrator,” the default Windows administrator account, but most likely with their own account that has the same privileges. If you ask a Windows administrator if they use two accounts, one privileged and one a normal user, the common answer is no.

Why is it important for administrators to have a normal account?

An account with administrative access has the power to make changes to a system. Those changes may be for good, such as updates, or for bad, such as opening a backdoor for an attacker to access the system. While an administrator would hopefully not do anything nefarious to his/her company’s systems purposefully, the act of using administrative accounts for daily activities can lead to just that.

When penetration testers are attempting to compromise a system, they are looking to “gain admin.” This is no different from a malicious attacker who also wants to gain administrative rights to a system or, even better, a network.

Allowing a systems administrator, especially one with Domain Administrator privileges, to access his/her e-mail and the Internet via their administrative account makes it easier for attackers to introduce malware via a phishing attack or gain those credentials by using impersonation, which is a very common attack in the Microsoft Windows environment.

Therefore, it is important for administrators to have a separate, normal account for their day-to-day activities to reduce the risk of inadvertently compromising the system. Using a normal account without administrative privileges for activities such as browsing the internet, reading email, and creating documents provides an additional layer of protection against cyber threats.

A normal account can also help with accountability and auditing. By using a separate account for administrative activities, administrators can be held responsible for any changes made to the system. It also makes it easier to track changes made to the system and identify any potential security breaches.

Using a normal account for daily activities and a separate administrative account for system management is a best practice in maintaining the security and integrity of a system. It is a simple but effective way to reduce the risk of cyber threats and ensure that administrators are held accountable for their actions.

What can be done to prevent account compromise?

When an organization is creating accounts and roles for its employees, most are familiar with the concept of least privilege, which is the idea of giving an individual access within the system to do only what is needed to fulfill the individual’s job duties.

For example, the mail room clerk is not going to be given access to payroll and engineers will not have access to Human Resources files. This logic needs to apply to Windows administrators as well.

When a person is logging into a workstation to do normal daily work, such as checking e-mail or surfing the Internet, or even troubleshooting, they should log on as a typical user. Then, when job circumstances require the individual to have privileged access, they should switch to a separate, privileged account to perform those tasks in the system.

Microsoft Windows has an option to allow commands to be run as an administrator with separate authentication if it is needed. This does several things:

    1. it ensures an administrator does not inadvertently make a change without knowing that is an administrative change (it does happen);
    2. it ensures the administrative credentials are only used for administrative tasks and
    3. it ensures that use of administrator privileges is appropriately logged within the system as evidence of the work performed.

How do you implement two separate accounts for administrators?

The hardest part of implementing privileged and non-privileged accounts for administrators is push back from the administrators themselves. They may make statements about two accounts slowing down their work or making them less productive, when in fact they already log into multiple systems a day and some systems may require different login credentials anyway, so one more login will not affect their productivity significantly.

The time and money it could save in dealing with attacks or mistakes made while using an administrator account would be less than a minor inconvenience in the short term that will become second nature in the long term.

They may also say it is impossible to do certain tasks, but that is not an excuse to always use administrative accounts for all activities. In fact, Microsoft introduced the “run as Administrator” option way back in Windows XP. It is still a feature in Windows 11, and it has been expanded upon to increase the protections around Administrator accounts.

Many administrators just want more control of their systems. However, the systems belong to the organization they support and need to be protected in the same way as a server especially since the administrator has direct access to more sensitive components on the network and using the same username and password combination weakens any security that is in place.

The idea of least privilege is not new; it is a requirement of FISMA 800-53a (AC-6) and considered an industry best practice by SANS, US-CERT and the NSA. So don’t delay.

Start moving to the use of non-privileged accounts for all users, not just your standard employees, as soon as possible.

Many of the companies who turn to LBMC for penetration testing also take advantage of one or more of our other information security services—from risk assessments to intrusion detection and prevention. By sharing information across functional areas, we are able to ensure that our testers stay on top of the latest attack techniques, emerging threats, and creative defenses, which improves our assessment and testing techniques and the quality of the resulting threat intelligence we provide to our clients.

To learn more about why we’re your choice for the best penetration testing company, contact us or call 1-844-526-2732.

Enjoying the Read?

Don’t miss out on latest security news from our LBMC team.