Retire Your Local Admin Account Before It Retires You...
by Tim Keeler, on Feb 25, 2016
Keeping your network completely secure is an incredibly difficult task and not one you are likely to accomplish because there will always be at least one vulnerability. However, the number of businesses that leave risky vulnerabilities open and accessible to malicious hackers is rather astonishing. One of the greatest of these risks is the administrative account, commonly called the admin account. While it used to be a necessary risk, that ceased to be true some time ago, yet so many companies still hold on to the old practices.
A Brief History of Admin Accounts
The local admin account was originally intended as a way to easily make system updates. During this earlier time, there were far fewer security holes because those who had the admin access had only a few points where they could access the networks. Making admin rights pretty much generic let everyone with an admin account be able to do basic things, like access printers. Pretty soon, companies ended up giving everyone access because the accounts were so generic. Even back then, it was a security risk, but with the ability to work remotely and connect to unsecured networks (particularly public ones), keeping these accounts readily available gives malicious hackers a very easy way to get into your servers and network and do considerable damage to your company, and possibly to your customers.
Based on the Microsoft vulnerabilities report from 2014, “97% of Critical Microsoft vulnerabilities would be mitigated by removing admin rights across an enterprise.” With so many businesses relying on Microsoft products, this seems like a more than adequate reason to get rid of these accounts. The problem is that there will be business impact, giving companies many excuses to keep using something that makes it much easier for malicious hackers to get into a system.
Arguments to Keep These Risky Accounts
Admin accounts were necessary in the early days because it was difficult to have only a few IT personnel take care of all of the necessary tasks to get people established on a network. Giving people the ability to add printers, add backgrounds, and download applications needed to complete their jobs made a lot of sense. It provided a level of convenience that was largely safe because these things were done within a secure environment.
Five primary reasons are used to justify keeping these accounts today, and most of them are based on the convenience established in the early days of technology.
Users need to be able to make updates to software and add hardware. It is not possible to have IT do all of these tasks for the entire enterprise. The admin account is no longer needed for this though. You can add personnel to established user groups to grant them these rights without giving them full access to everything that an admin account lets them do. The only way to update legacy software is through admin rights, and it is easier to have the department do that than to schedule it through IT. If you really cannot upgrade to a more current software, there are other options. Perhaps they are not any easier, but these days security is more important than convenience.
People are accustomed to having the rights, so taking them away is going to create some challenges. It is true that people won’t be happy, but in the end, it doesn’t reflect a trust issue with them; it is about closing vulnerabilities that these accounts create. What users can do with these accounts is vastly greater than the tasks that they actually need to complete.
Executives need these accounts to run the company. This one is probably the easiest to argue against because executives decidedly do not need to be doing the technical tasks that admin accounts allow. Their computers are the most likely to be targeted by a hacker, so it is easier to argue that these accounts should never be used on executives’ computers or devices. The most obvious reason that companies need these accounts is that the IT team uses them to do all of the necessary tasks. Admin accounts were created for IT, so this used to be a legitimate argument. However, there are other options now that make this less true today. Your IT staff will need to be able to make changes, but what they can update should be restricted to the roles that they fill. They do not need access to everything in the company, all the time.
As we have already pointed out, Microsoft programs are easy targets for malicious hackers with the admin account information. For most businesses, the admin account information is not very difficult to get. People write down the account information, giving anyone with access to the building the ability to find it. Even worse, the admin username and password are too often posted on the network for anyone to find and use as needed. This makes it far too easy for malicious hackers to get what they need without ever setting foot in the building.
Admin accounts offer far too much power for people who really do not need it. What staff need are specific rights that can be easily granted without letting them have access to areas where they have no need to have access. Malware, particularly ransomware, has been on the rise, and this kind of cyber attack frequently uses the local admin account to implement the malware.
For example, if an executive workstation has logged into the admin account, the executive could open a malicious file or email, or in the worst case, their web browser is used to add the malware. They would not even realize the problem until it is far too late to fix it. The black hat hacker can then take over not only the executive’s computer, that hacker can work into the network and see all kinds of information and access privileges that the executive doesn’t even know he has access to. Even if a malicious hacker does not know the admin account information, if the account exists, the hacker can guess until they gain access. The account name and passwords are usually something easy to guess, making it easy to crack and exploit the account. For companies that need to meet strict regulations, such as military contractors and those in the medical industry, admin accounts are an unnecessary added risk to meeting those requirements. By eliminating your admin account, you improve your chances of getting more clients and keeping your clients’ data secure. Compliance is essential, and admin accounts are too dangerous of a risk to be worth what little convenience they provide.
Business Impacts of Removing Admin Accounts and How to Minimize Those Impacts
The best reason given for using the accounts is ‘convenience’, but considering how much trouble, time, and money go into trying to mitigate a cyber attack, this is an entirely unnecessary risk. Convenience is not worth the possible consequences. By removing this account, you are significantly increasing the server and network security by removing many vulnerabilities. Keep in mind that you remove 97% of your Microsoft vulnerabilities by not having these accounts, so if your business relies on Microsoft products, it is well worth the removal of the local admin account. Ransomware, in particular, relies on these vulnerabilities, and it is one of the greatest risks to any business because you can lose many, if not all of your files.
For example, retailers are a prime target for malicious hackers. With so much financial data in one location, having an admin account makes it very easy for the hackers to gain all of that information with one access. With so many high-profile hacks of this nature making headlines over the last few years, it is definitely a risk that is not worth taking. Retailers who do not have admin rights for their workstations let the staff do less on those machines, but outsiders are also incredibly limited in what they can access, if anything.
There are several different alternatives to admin accounts. User groups with designated privileges are among the most popular growing replacement. It lets people have the ability to set up what they need for their computer, but not have access to things they don’t need. A person who manages email information does not need to be able to access the firewall. The specific user group will grant them access to emails so that they can manage and configure the system as needed. Controlling endpoints, both in what a user can access and for how long, creates an even more secure option. By assigning access in real-time as the need arises, there is nearly no chance for people outside of the system to gain a foothold – there is no generic account to access. Even if they do get access to the system, they will only have access to a very limited area instead of the entire system and that access will be for a limited amount of time. This also prevents the widespread misuse of stolen administrator credentials. This is not a matter of “if” but “when” these are used against our organizations.
There are other things that should be done along with these measures, such as continuous monitoring and admin inventorying. This gives you the ability to follow logs to verify access. In the event that something does happen, it will be detected and stopped far earlier. This minimizes the amount of collateral damage that can occur due to use of stolen administrator credentials.
About the Author
JD Sherry is Remediant’s Chief Revenue Officer and a seasoned technology executive in the cybersecurity industry, learn more about JD and the Remediant leadership team.