[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Administration Elevation (best practice and why elevate)

Posted on 2016-08-30
Medium Priority
Last Modified: 2016-09-18
Can anyone point me towards the best practice in elevating permissions for IT engineers. I am sure there is documentation out there on this and would appreciate pointers.

1) why not provide engineer accounts with Admin rights (or not)
2) why have secondary accounts with additional permissions

By using elevated permissions does this have added security in the event a laptop is lost (they then can not reverse engineer the administratrion logon details)?

Many thanks
Question by:ncomper
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 88

Accepted Solution

rindi earned 800 total points (awarded by participants)
ID: 41776106
It should be pretty straight forward and clear. Never use a PC logged on with an account that has admin rights. If you do that the chances are higher that malicious code can be executed and the user doesn't know. Besides that, if the user forgets to log off when he leaves the PC for a short period, and the screensaver hasn't yet come on, someone else can easily use that admin account to harm the system. With UAC you can easily use the other account that has Admin rights to do things that need elevated rights.

If the laptop is stolen the account type won't help to keep the crooks from your data. For that you need other things. For example use a BIOS password so that you can only start the laptop if the correct password is used then. Those passwords can't be reset without knowing them, or without the help of the laptop manufacturer, and then they require proof of ownership. This makes the PC useless and unsellable to the crooks.

Also set the HD password via the BIOS. That makes the disk useless to anyone who doesn't know that password. These passwords can't be reset even if you have proof of ownership or via the manufacturers. You need to know the password to reset it.

Use disk encryption. That way, even if the BIOS and HD passwords get reset because the thief either knows it, or via try and error, he won't be able to read the data on the disk.
LVL 65

Assisted Solution

btan earned 800 total points (awarded by participants)
ID: 41776213
It is about adopting cyber hygiene in this case is for adhering to least privileged principle which in short only give what is required for the role to function effectively and with optimal efficiency, at best. Indeed there is document for limiting the privileges such as
Unfortunately, the path of least resistance in many environments has proven to be the overuse of accounts with broad and deep privilege. Broad privileges are rights and permissions that allow an account to perform specific activities across a large cross-section of the environment- for example, Help Desk staff may be granted permissions that allow them to reset the passwords on many user accounts.

Deep privileges are powerful privileges that are applied to a narrow segment of the population, such giving an engineer Administrator rights on a server so that they can perform repairs. Neither broad privilege nor deep privilege is necessarily dangerous, but when many accounts in the domain are permanently granted broad and deep privilege, if only one of the accounts is compromised, it can quickly be used to reconfigure the environment to the attacker's purposes or even to destroy large segments of the infrastructure.

Granting of excessive privilege isn't only found in Active Directory in compromised environments. When an organization has developed the habit of granting more privilege than is required, it is typically found throughout the infrastructure. This also include the use of "Enterprise Admin" group, by default, members of the built-in Administrators group in each domain in the forest
When EA access is required, the users whose accounts require EA rights and permissions should be temporarily placed into the Enterprise Admins group. Although users are using the highly privileged accounts, their activities should be audited and preferably performed with one user performing the changes and another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration. When the activities have been completed, the accounts should be removed from the EA group. This can be achieved via manual procedures and documented processes, third-party privileged identity/access management (PIM/PAM) software, or a combination of both
We should really review the role and addition needs for the Engineer role define, such as identify & review (in reference to best practice):

1.Which tasks members of the role perform on a day-to-day basis and which tasks are less frequently performed.
2.On which systems and in which applications members of a role should be granted rights and permissions.
3.Which users should be granted membership in a role.
4.How management of role memberships will be performed.

This is why also the needs for the management and oversight of privileged users (if Engineer is admin or given more rights as required) to opt for safeguards be in place first. It may be just ad-hoc purpose instead the perm "super admin"

•Credential "vaults," where passwords for privileged accounts are "checked out" and assigned an initial password, then "checked in" when activities have been completed, at which time passwords are again reset on the accounts.
•Time-bound restrictions on the use of privileged credentials
•One-time-use credentials
•Workflow-generated granting of privilege with monitoring and reporting of activities performed and automatic removal of privilege when activities are completed or allotted time has expired
•Replacement of hard-coded credentials such as user names and passwords in scripts with application programming interfaces (APIs) that allow credentials to be retrieved from vaults as needed
•Automatic management of service account credentials
LVL 98

Assisted Solution

by:John Hurst
John Hurst earned 400 total points (awarded by participants)
ID: 41776223
1) why not provide engineer accounts with Admin rights (or not)

After 15 years of working with this, it is never correct to make users into Administrators.

Pick one in the group to install software and make Windows Updates automatic.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Shawn
IT teams define success as solving problems quickly. To enable ITSM modernization we have to think of adopting the tools and methods that will enable resolution of ITSM issues more quickly.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question