Superuser Accounts – What Are They and Why Should Your Company Stop Using Them?
How to de-escalate admin-type rights
Super-user accounts – what’s not to love about them? It depends on whom you ask. Sysadmins will most likely tell you that users with admin rights are what nightmares are made of. And they’re right; according to an article published on Bleeping Computer, a whopping 94% of all possible malware entry points can be mitigated by rescinding admin rights. Think of it as the Occam’s razor of cybersecurity hygiene – why should you bother deploying intricate security solutions when the answer is within your reach?
Let me start by recounting a funny story a sys-admin told his colleagues on a forum.
As the story goes, one employee emailed him to ask why his antivirus software lit up like a Christmas tree when he received a specific email.
The sysadmin told him that this was supposed to happen – the malicious content gets quarantined before it deploys itself on the machine. But that was beside the point. The user actually wanted to know if the malicious attachment could be unquarantined.
Even more baffling is the fact that he actually asked the sysadmin to switch off the antivirus long enough so he could ‘copy’ the virus. And that’s one of the reasons why employees shouldn’t get admin rights.
Which brings us to today’s topic: superusers and the way they could impact your business. Let’s begin.
What are superuser accounts?
In simple terms, it means that the user has access to every app and can modify or terminate any type of Windows process. That’s a lot of power right there, especially for someone working on one of the company’s machines. Okay, let’s assume that there’s nothing wrong with someone installing Spotify on his device. As they say: “music soothes the savage beast”. What about other apps?
How would you, as an employer, feel if you glance at one of your employee’s screen just to see him watching the latest Walking Dead episode? And that’s just one of many examples. Non-work-related apps can severely hamper productivity. Of course, there’s nothing wrong with a little break. It’s nearly impossible to spend an entire day focused on numbers and words and graphs, but, like everything in life, everything should be done in moderation.
Anyway, that’s not even the real issue here. One employee playing a game or someone else binge-watching a series isn’t a reason to go to red alert. However, the real danger is someone purposely (or not) installing or downloading malware-laden apps on that machine. And there are also those who visit banned websites.
How does the superuser account fit in? Some malware and I’m talking here about the creme de la crème, uses an infiltration technique called rights escalation to take over your machine and to communicate with its command & control center. Once it lodges itself to the kernel, it will begin overwriting system-wide permissions. Unfortunately, this tends to happen on a machine where users have admin-type privileges.
To sum it up: superuser accounts grant access to all the OS’ functions and features. Anyone with admin-type rights can install/uninstall software, add firewall exceptions to bypass sysadmin-enforced rules, or simply access websites that harbor malware.
Does restricting user rights imply zero trust?
Yes and no – restricting the user’s rights may be construed as a lack of trust. However, it’s neither personal nor professional. By superimposing these rules, you would have mitigated an issue endemic to a certain category of machine users. It’s a bit paradoxical: you solving the issue implies zero trust, but you need to trust that someone to work with him/her.
Back to the issue at hand; as a cybersecurity praxis, zero trusts have tremendous potential. Hence the ever-increasing demand – enterprises now are much more focused on dealing with insider threats than with external ones. In late June, an ERKAN study pointed out that 70% of threats lie within the company.
The very same study also revealed that companies are losing $11 million per year, on average due to data leaks originating from inside the company. And, as one would imagine, the main issue here is users having or rather abusing admin-type rights.
As you might have guessed, the answer would be rescinding those rights. But it’s more than that. As one of my colleagues pointed out, human factors aside, the devices connected to a company’s network should also be regarded with suspicion. Zero Trust, the emergent cybersecurity praxis, dictates that “organizations should not trust anyone or any device by default and thus, must verify every single connection before allowing access to their network.”
Should Zero Trust become the golden standard? It already has – more and more companies have begun to realize just how dangerous insider threats, not just to the institution’s status quo, but to its future on the market.
There’s another reason why Zero Trust is warranted – privilege creep(ing). In layman’s terms, it’s a passive technique of retaining admin rights, even though most of the endpoints run on limited privileges. Privilege creep is, by far, the most pervasive type of insider threat, since it relies heavily on the company’s lack of PAM (I’ll get to that in a minute).
Think of it like a sleeper cell: it waits for the right time to strike and will do just about everything to go below the radar. Privilege creep(ing) can lead to more severe types of data breaches such as business email compromise.
The best example would be someone accruing admin rights, jailbreaking the CEO’s mail, and sending funds withdrawal requests to employees (CEO fraud). And, much to our very misfortune, although the CEO should, by default, retain admin rights, some of them are not the most tech-savvy individuals. In the end, the responsibility lies on the sysadmin’s shoulders.
So, how do you ‘untrust’ your employees and devices? More specifically, how do you get rid of superuser accounts? This is what we are going to discuss in the upcoming section.
The basics of removing superuser accounts
Removing admin privileges from a single machine is not that much of a hassle. You simply have to create a new user and adjust the rights as necessary. For more information about how to create basic user rights accounts, be sure to check out my article on how to create a new Windows user. The difficulty increases tenfold when you’re a sysadmin and have to perform the same operation on 20 or more endpoints.
This is the very reason why an entire cybersecurity branch was developed – we call it PAM, which is short for Privileged Access Management. Basically, it’s a rights escalation/de-escalation tool that helps sysadmins quickly perform these tasks.
Since the speed of deployment is considered a KPI, the emphasis is on automation. PAM solutions should allow the sysadmin to quickly schedule and authorize ‘sessions’ and, if necessary, to rescind those rights.
So, how does this work? Consider the following scenario: one of the users from the marketing department requests an admin session (needs rights escalation) in order to install a piece of software on his endpoint. Naturally, in an organization that does not use a PAM solution, the sysadmin would need to ‘haul his can’ all the way to the user’s machine and input the master password.
Not only that, but the sysadmin must remain by the employee’s side and supervise the entire process. For a company with a couple of employees, that shouldn’t be a time-consuming endeavor. However, can you rely on the method to deploy software on an enterprise with hundreds of endpoints, with some of them being off-site? You can if your name’s Sisyphus (or you hate yourself that much).
This is where PAM comes into play – each machine starts with basic user rights. Of course, all of them are connected to the company’s server. Now, each time a user requires admin-type rights for work-related purposes (i.e. updating an application, uninstalling a dysfunctional program, cleaning up the registry), instead of the usual process, the sysadmin can authorize and deny the request from a unified dashboard. That’s a very powerful tool, one that saves a lot of time, money, and can prevent the entire network from getting compromised.
Heimdal™ Privileged Access Management, Heimdal Security’s answer to PAM, can escalate or de-escalate admin rights on demand. The requests can be handled from the dashboard or even from a mobile device. More than that, our approach to PAM has the unique ability to automatically de-escalate admin rights if our ML-powered module detects suspicious content or activity on an endpoint. Insofar as PAM solutions are concerned, Heimdal™ Privileged Access Management is unique due to its ability to de-escalate rights on threat detection.
More cybersecurity tips for owners, sysadmins, and employees
Knowing, employing, and deploying PAM solutions for your needs is not enough. You must also work towards educating your staff on insider threats and good cybersecurity practices. Here are a couple of more tips to get you started.
1. With admin rights rescinded, patching and updating might become problematic
Users might not be able to update some apps and programs if they’re running with a limited right. Ensure that your PAM solution can compensate for this. Of course, this does not affect Windows or security updates. Take a gander at Heimdal™ Patch & Asset Management, our automatic patching module, that’s available for both consumers and enterprises. Apps & programs get silently patched in the background – no hassle and no more time spent on manual searches.
2. Continuous education
Although sysadmins know by heart what to do in order to prevent malicious attacks, the same thing can’t be said about employees. Regular drills are required to keep your staff on their toes and to help them recognize malicious content. If your sysadmin isn’t too fond of hosting these small seminars, you should consider bringing someone from outside of the company.
3. Aim for additional security layers
PAM aside, you should consider adding extra security layers in order to protect the company’s network and assets. Look up DNS filtering, ML and AI-powered AV/AM solutions, perimeter defenses, business email compromise solutions, spam filters, and secure clouds.
4. Consider BYODs
Maybe some staff members feel more at ease if working on their own devices. Be sure to include some security procedures regarding their BYODs.
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Revoking superuser rights should become a standard cybersecurity procedure. As I’ve pointed out, it has nothing to do with the employee’s workplace performance or personal preferences – it’s a safety measure, a buffer, to prevent disastrous outcomes such as data leaks.