20

At the office where I work, three of the other members of the IT staff are logged into their computers all the time with accounts that are members of the domain administrators group.

I have serious concerns about being logged in with admin rights (either local or for the domain). As such, for everyday computer use, I use an account that just has regular user privelages. I also have an different account that is part of the domain admins group. I use this account when I need to do something that requires elevated privilages on my computer, one of the servers, or on another user's computer.

What is the best practice here? Should network admins be logged in with rights to the entire network all the time (or even their local computer for that matter)?

AliGibbs
  • 2,323
  • 21
  • 34
poke
  • 1,079
  • 4
  • 11
  • 21
  • I always thought that was stupid. I never heard of one good reason to do that. Maybe giving limited accounts to parents on windows but we are talking about our use of accounts –  Jan 20 '11 at 07:38
  • Ever had a kid running around clicking stuff on their pc's? How about accidently removing the main data share instead of you're mp3 folder. – Barfieldmv Jan 20 '11 at 11:41
  • 1
    someone please add a "windows" tag to this question – JoelFan Jan 20 '11 at 12:23
  • @Barfieldmv, this question is about a working environment, not the PC in your lounge. Kids shouldn't be anywhere near it and accidental deletions can be restored from backups. – John Gardeniers Jan 23 '11 at 22:41

6 Answers6

36

Absolute best-practice is to Live User, Work Root. The user you're logged in as when you hit refresh on Server Fault every 5 minutes should be a normal user. The one you use to diagnose Exchange routing problems should be Admin. Getting this separation can be hard, since in Windows at least it requires dual login-sessions and that means two computers in some way.

  • VMs work real well for this, and that's how I solve it.
  • I've heard of organizations that login-restrict their elevated accounts to certain special VMs hosted internally, and admins rely on RDP for access.
  • UAC helps limit what an admin can do (accessing special programs), but the continual prompts can be just as annoying as having to remote into a whole other machine to do what needs doing.

Why is this a best-practice? In part it's because I said so, and so do a lot of others. SysAdminning doesn't have a central body that sets best-practices in any kind of definitive way. In the last decade we've had some IT Security best-practices published suggesting that you only use elevated privs when you actually need them. some of the best-practice is set through the gestalt of experience by sysadmins over the last 40+ years. A paper from LISA 1993 (link), an example paper from SANS (link, a PDF), a section from SANS 'critical security controls' touches on this (link).

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • 6
    Note that in Windows 7 the Administrator account is far more limited and it does not require dual login-sessions. UAC works quite nicely. It works significantly less so in Vista. – Ricket Jan 20 '11 at 05:35
  • 6
    @Ricket, I disagree with the comment about the UAC, at least for admins. I've turned it off on my workstation because nearly every piece of software I use causes the UAC to prompt me for permission. That's so irritating and slows me down so much its positives are grossly outweighed by its negatives. To work "quite nicely", as you put it, we should be able to tell it to always allow or disallow specified software but of course it's not that flexible. Quite simply, it's an immature and ill-considered attempt at what might one day be a valuable security component. – John Gardeniers Jan 20 '11 at 09:06
  • Why? Link to these best practices? – realworldcoder Jan 20 '11 at 10:05
  • @realworldcoder: Why? Because it's irresponsible and dangerous to always log in as admin/root. Not sure there is One True link for all OSes, non-Windows OSes tend to be LUA by-design. Microsoft Windows admin can consult this TechNet: [Using a Least-Privileged User Account](http://technet.microsoft.com/en-us/library/cc700846.aspx) – jscott Jan 20 '11 at 15:13
  • 1
    ^ Note the TechNet article linked in the above comment is old, written before Vista (since it refers to its codename, "Longhorn"). But for XP users it's very valid. @John I guess everyone's mileage varies, but I never get UAC popups and I use quite a bit of software. The only exception is installers (duh) and the annoying Java updater. Vista was much worse, so if you haven't given UAC a try since Windows 7 I definitely recommend turning it back on, otherwise I guess you're just using outdated/badly written software. There's no way nearly every piece of software prompts for admin permission... – Ricket Jan 20 '11 at 20:12
  • 1
    @Ricket, we clearly use very different software. I image we also perform very different tasks. Just because the software YOU use doesn't trigger the UAC doesn't mean that applies to the software used by others. As you gain experience you will learn these things. What I said is fact. Why are you questioning it? – John Gardeniers Jan 20 '11 at 20:45
  • The only piece of software I use on a daily basis that triggers UAC on my Win7 Pro machine is Putty. – Keith Stokes Jan 21 '11 at 00:42
  • @John Many people were put off by UAC in Vista, and later turned it off immediately after installing Windows 7, not giving it a solid try but perhaps continuing to argue against it online when really they're basing their opinion on Vista's UAC. I thought this might be the case with you. I know nothing of your experience or tasks and I do hope your knowledge of UAC is indeed up to date (since a fact implies nothing of the time period in which the fact was a true fact). Can you list some of the software that triggers UAC? I'm curious about it as I still haven't seen many programs which do so. – Ricket Jan 21 '11 at 03:56
  • 1
    @Keith Stokes: What have you done to poor PuTTY to get it to prompt you for UAC? PuTTY doesn't need elevation to run! – Evan Anderson Jan 21 '11 at 08:05
  • @Evan: I thought it strange at the onset but didn't think deeply about it until reading your comment. I did my standard routine of creating a c:\program files\putty folder and dropping Putty, psftp, etc in. Then I created a shortcut in my taskbar and desktop. Since I'm running a 64-bit Win7 edition I put in c:\program files (x86) Maybe I should put it in my User folder. – Keith Stokes Jan 22 '11 at 00:21
  • It could have something to do with the behavior of Putty. Normal programs install to Program Files and are expected to keep their data within their own folder in the AppData folder; in essence, they should keep to themselves, and if they try to do otherwise (i.e. writing anywhere else without user choice) then they will need elevated privileges. Eclipse, for example, is badly written, so that if you put it in a Program Files folder, it attempts to write its own folder right in your user folder (instead of AppData), and will be blocked since it is not well-written to request privileges. – Ricket Jan 23 '11 at 05:11
  • Anyway suffice to say, yes you should put it somewhere outside of program files. I just put eclipse in C:\eclipse - it's a necessary evil until they fix it to use AppData. – Ricket Jan 23 '11 at 05:12
12

Since this is a Windows domain, it's likely the accounts they are using have complete network access to all the workstations, so if something bad happens, it can be across the network in seconds. First step is to make sure all users are doing day-to-day work, browsing the web, writing documents, etc. in accordance with the principle of Least User Access.

My practice is then to create a domain account and give that account admin privileges on all workstations (PC-admin), and a separate domain account for server admin work (server-admin). If you're concerned about your servers being able to talk to each other, you can have individual accounts for each machine (<x>-admin, <y>-admin). Definitely try to use another account for running the domain admin jobs.

That way, if you're doing something on a compromised workstation with the PC-admin account, and it grabs the chance of your having admin privileges to try to get at other machines over the network, it's not going to be able to do anything nasty to your servers. Having this account also means it can't do anything to your personal data.

I must say, though, that in one place I know where the staff worked with LUA principles, they didn't have a proper virus infestation during the three years I saw; another department in the same place that had everyone with local admin and IT staff with server admin had several outbreaks, one of which took a week of IT time to clean up due to the spread of infection via the network.

It does take some time to set up, but the potential savings are huge if you are hit with problems.

Iain Hallam
  • 447
  • 2
  • 6
  • 22
  • I behave this way, and use a domain account for my day to day work, and elevate to my privileged admin domain account when I need to. My other co-workers laugh at me, and I cannot wait to see their workstations impact something in a nasty way so I can say I told you so. – songei2f Jan 20 '11 at 15:08
1

Seperate accounts for seperate tasks is the best way to look at it. Principle of least privilage is the name of the game. Limit the use of "admin" accounts to the tasks that have to be done as "admin".

Liam
  • 499
  • 3
  • 5
1

Opinions differ somewhat between Windows and *nix but your mention of domain admins makes me think you're talking about Windows, so that's the context I'm answering in.

On a workstation you shouldn't normally need to be admin, so the answer to your question in most cases will be NO. However, there are plenty of exceptions and it really does depend on exactly what the person is doing on the machine.

On a server it's a topic of much debate. My own view is that I only log onto a server to do admin work, so it just doesn't make sense to log on as a user and then run each separate tool using run-as, which quite frankly has always been a real pain in the you-know-what and for most jobs it simply makes an admin's life overly difficult and time consuming. Because most Windows admin work is done using GUI tools there is a degree of safety that is not present for say a Linux admin working on the command line, where a simple typo could send him scurrying for last night's backup tape.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
1

my life is simple... the account are distinctively named, and all have different passwords.

God account - domain admin to do all server side work

demigod account to administer the PC's - has no rights to shares/servers - only to the PC's

feeble user - I grant myself power user on my own pc, but I don't even have those rights on other PC's

the reasons for the seperation are many. there should be no argument, just do it!

cwheeler33
  • 764
  • 2
  • 5
  • 16
  • I like the privilege separation at three levels, but getting others to practice what you preach must be a headache. – songei2f Jan 20 '11 at 15:09
  • It can be a tough sell in some environments. But if you can prove yourself to the policy makers, then they will help you make it a followed policy. No Exec want to loose their company when a free and simple solution exists. – cwheeler33 Jan 20 '11 at 16:35
  • You forgot #4: auditing user to which god logs, which is otherwise independent of all other accounts. So if some hacker makes your god turn vengeful, you know how that happened. – Parthian Shot Aug 01 '14 at 14:49
0

At the risk of being down voted to hell, I have to say it depends on the admin's workflow. For me personally, the vast majority of things I'm doing on my workstation while at work will need those admin credentials. You've got built-in stuff like domain management tools, 3rd party management consoles, mapped drives, command line remote access tools, scripts, etc. The list goes on. Having to type credentials for almost every single thing you open would be a nightmare.

About the only things that don't usually need admin privs are my web browser, email client, IM client, and PDF viewer. And most of those things stay open from the time I login to the time I logout. So I login with my admin credentials and then I RunAs all of my low priv apps with a low priv account. It's much less hassle and I don't feel any less secure for doing so.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • run as with low priv really does not do much for security as the system is already running with an admin account. You have give yourelf a false sense of security. Do it the otherway around, login as user, then run as admin. Give yourself power user for your login if you want BUT Please DO NOT BE RUNNING AS ADMIN all the time. – Liam Jan 20 '11 at 20:27
  • +1 As I said in my answer, "it really does depend on exactly what the person is doing on the machine". Despite all the theory and so called "best practice" there are times it just doesn't make sense to log in as a user. At least not in the Windows world. – John Gardeniers Jan 20 '11 at 20:50
  • I'm pretty sure there's no power-user rights in windows 7. http://goo.gl/fqYbb – Luke99 Jan 20 '11 at 21:38
  • @Liam No offense, but you're wrong saying that RunAs with low priv doesn't do much. It does exactly what it's supposed to do which is prevent that particular process (and its children) from doing anything with elevated privileges. And this is perfect for the applications that don't ever need elevated privs and generally tend to be the most targeted by malware as well. – Ryan Bolger Jan 23 '11 at 18:17