SANS 20 Critical IT Controls #8: Controlled Use of Administrative Privileges

A common technique used b y hackers is to guess the passwords for administrative users to gain access to a server, and from there compromise vast swatches of a system. Hackers are constantly devising powerful password cracking tools to see if they could grab a system admin or network admin’s password. Hackers also try to gain administrative privileges through other devices such as sending malicious email attachment which trick users into executing attacker’s code that enables access to an administrative server. Regardless of the actual method used, companies must control the user of admin privileges. Following are some of the most important things you can do to tighten administrative access to your systems.

As a first step, inventory all administrative passwords to ensure they follow stringent password policies consistent with industry best practices, such as the use of at least 12 semi-random characters in a password. Most companies store passwords in files or Excel spreadsheets. Regardless of the storage method you use, the fact is that all these methods are vulnerable – one access to that Excel spreadsheet that stores all your system passwords, and you’re out of luck. Use a password software tool to automate the storage and retrieval of passwords. The tool will also store the passwords in an encrypted form. Authorized users who need access to a password must use this tool rather than someone else sending the password in an email or via IM or a phone message.

Change all default passwords when you install a new hardware or software in your system. Regular password changes (every 60-90 days, for example) offer more protections. Admin users must use different passwords for their administrative and non-admin work. Administrators must always login from remote machines using a non-administrative account first, and then switch to an administrative account. Implement strict separation of duties polices, so administrators are allowed access on a per need basis instead of being handed over sweeping access privileges.

Leave a Reply

Your email address will not be published. Required fields are marked *

*