Privileged accounts, typically administrator accounts, are the all powerful user accounts who can do anything on a computer, server, network, or domain. These are the top targets for cyber-criminals and other malicious hackers. And they generally are poorly managed. Here are some common mistakes we see when conduction security reviews for clients.
- Domain, Network, and Server Administrators – These accounts are often used as the day-to-day work account of a highly placed IT staff member. Administrator accounts should never be used for routine work, but only when needed to manage a server, network, or Windows domain. Because if this account is breached, the entire network is now vulnerable to further exploitation by the attacker.
- Administrators to the local machine – When you set up a computer for the first time, the operating system requires you to create an administrator account. This is the administrator for this computer, also know as the local machine. We see lots of instances where the computer user is also the local machine administrator. This means when there system is compromised by an attack, the attacker has unlimited rights to download and install anything they need to extend their attack. Users should be working under their own user account, and given only the privileges needed for their job. If installing software is not part of their job, amke sure it is not something they can do under their user profile.
- Default administrator accounts not changed – All computer hardware, and especially networking gear, comes with default administrator accounts built in. Often the credentials are nothing more than “admin” and “password.” Default administrator credentials can be looked up on the Internet, either on the manuafacturer’s support pages, or in one of the many online lists for default administrator accounts. Just Google “default admin accounts lists” to see a good selection. These defaults need to be changed as part of the setup process.
- Administrator account records poorly documented or missing – Often we find that information about administrator accounts is missing, out of date, sometimes duplicated (but not identically), and often stored in a notebook (bad) or on a spreadsheet (worse). If the administrator account is not available for a server, computer or other device, it can be impossible to service or repair the device without resetting everything back to day one. It is reason like this that machines go unpatched for years – no one has the administrator account necessary to update the software.
Documenting and managing your administrator accounts is a project that would be a great kick-off to your cybersecurity new-year.