“It’s good to be the king” – is that so?
In every kingdom, you will find only one king.
But as always, there are some exceptions. In the modern technical environment, there is more than one king, or in our case, more than one Administrator/Power user.
Today, we can find more than one technical team that handles the organization network or systems: the Networking team, SecOps, DevOps, IT, etc.
For each of those teams, there are systems and equipment that they need to manage or support.
Instinctively, we want to do this job with the highest privileges that we can, maybe to make it faster or just to do it without any limitations. Usually, that user is called “Administrator” or “Admin” or “Root,” etc.
In most cases, that user is the default administrative user for the system or the domain (router, DC, etc.).
But have you ever asked yourself, “Do I have to be the most muscular man to be the king…?”
Maybe using it as a default admin can be more harmful than beneficial?
Why is that?
- The password for the “Administrator” user never changes! It’s dangerous to make changes to the strongest user in the domain. An example of such a case: David was an IT team member who had left the organization. All the team members use the same “Administrator” user, so David still knows the organization’s administrator password, which means he can use it against the organization.
- What would happen if the king were “Hijacked”? The Administrator user is the primary key for everything. For example, if you have a locked-out user, and the administrator user is not available, no other user can help you solve it.
- Another example is when three different people are using the same user, you don’t know who is the person that made changes (audit).
There are many more examples, but let’s focus on how to do this right.
What should you do?
It’s very simple.
- After the first login or usage with the “Administrator” user, you should create a new admin/power user instead of the original. For example, when you create a new domain, it’s recommended to create a new admin user.
- Store the Administrator secret (password) in a physical or virtual safe (use the Administrator user only in emergency cases).
- Create personal administrative users for each team member that needs administrative access rights. The administrative users must be different from the regular users who log in to the computers and have diverse and hardened passwords.For example, If my regular user is “David,” then the administrative user should be “DavidAdm” or any other style that will differentiate them. Use those users to log in to servers and other network assets or resources, but don’t use them for computer login or operational logins like read emails, etc. You can use these users for a “run as” only,
- Ensure that all privileged users are under a particular “Group” or container that you can monitor and unallowed logins or changes are recognized.
- Create a special monitoring rule for the “Administrator” user if used or changed.
- The last recommendation is to disable every user who left the organization or service users who are not in use anymore.