“A survey by Centrify found that almost 60% of IT professionals shared privileged account access credentials with co-workers. Technology analyst firm, Forrester, estimates that 80% of corporate security breaches result from privileged identity compromises.”                – Josh Berman

More times than not, we are coming to find out that organizations are falling short on their security practices in terms of administrative accounts. This is a big flaw in these organizations because of the risk that goes along with this area of cyber / information technology security. Malicious attackers are constantly looking to obtain administrative credentials because once they have achieved this, they will have the keys to the kingdom. So, what questions should we be asking in order to better secure our organization?

A good place to start is with the following questions:

• Who are considered administrators on the network?
• Does each administrator have a unique administrator account? Or are there one or more shared administrator accounts?
• Do personnel with administrative capability have separate user accounts with normal user restrictions also?
• Do normal user personnel have local administrator capability?

When malicious attackers are attempting to compromise a system, they are looking to gain administrative rights to a system or even better a network and if we are always operating in an administrative capacity, an increase of risk comes along with that. For example, if an administrator accesses his/her email or the internet with their administrative account it makes it easier for attackers to introduce malware via a phishing attack or gain credentials by using impersonation. This is where the concept of least privilege comes into play.

Least privilege is the idea of giving an individual access within the system to do only what is needed to fulfill the individuals job duties. When a person is logging into a workstation to do normal daily work, such as checking email or accessing the internet, they should log on with their normal user account. Then when administrative credentials are needed, the individual can switch to that administrative account and perform the tasks.

“Individuals should use non-privileged accounts, when accessing non-security functions.” – NIST Special Publication 800-53 (AC-6 1 – 10) (AC-6(2)).

You should grant all domain administrator users their domain privileges under the concept of least privilege. For example, if an administrator logs on with a privileged account and inadvertently runs a virus program, the virus has administrative access to the local computer and to the entire domain. If the administrator had instead logged on with a nonprivileged (non-administrative) account, the virus’s scope of damage would only be the local computer because it runs as a local computer user.

Not only does the concept of least privilege decrease risk against malicious attackers but it also ensures that administrative credentials are only used for administrative tasks and ensures that the use of administrative privileges are appropriately logged within the system as evidence of the work performed. It’s bad news if we are unable to figure out who exactly is using the administrator account at all times.

Once we have decided upon the individuals that need administrative capability, where should we go? A good first step, as mentioned above, would be to ensure that individuals with administrative rights have their own unique administrative accounts in addition to their normal user accounts. The key word there being unique. Administrative accounts should not be shared. Each administrator should be logging into their own account with their own unique credentials.

It is not uncommon for organizations, especially smaller, to have a shared administrator account. We see this quite often while performing an audit of an organization. A survey conducted by a leading digital security firm showed that an astonishing 95% of respondents admitted to sharing as many as six passwords with other people, even though most know it is risky. The same study found that people are more likely to share passwords for work accounts than for their personal accounts. That is a problem, that individuals understand the risk that accompanies sharing of credentials and are unwilling to share credentials outside of the work environment, but they are willing to while on the job.

Employees often have seemingly good reasons for sharing credentials. Credential sharing makes it easier for multiple users to access an account. Managers share passwords in order to delegate tasks. It’s easier, it’s more efficient, it’s cheaper. There are reasons – dare I say, excuses – to share passwords. However, the risk that accompanies the practice of sharing credentials, trumps those reasons. It is well worth the extra time, money, hassle, etc. that will occur by taking away a shared administrator account because it is going to minimize your organizations risk profile.

So, what are steps that you can take and questions to ask today to make your organization more secure?

1. Figure out who are considered administrators on your organizations network. Do each of these individuals need to carry administrator privileges?
2. Do each of these individuals who have administrator rights have a unique account or are we sharing credentials for one account? If we are utilizing one shared account, take steps to create unique accounts for the individuals who need those rights.
3. Ensure that individuals with administrative capability have separate normal user accounts that they are operating in for daily tasks. Only switch to the administrator account when it is needed to perform a task.

Article Written By: Chad Gutschenritter