Do we really need privileged users anymore?
You’re an admin. Does that mean you always need an admin account for everything? No, and the cloud makes that even more important.
The most painful feature in Windows Vista was the User Account Control setting, originally called Limited User Accounts. Initially pitched as a security feature that alerted you when the software you’d just opened wanted to change system settings, it was actually a way of getting users to complain about software that needed to run as administrator. When you run as administrator, it’s a lot easier for malware to get onto your system and do what it wants to.
For years Microsoft had been begging, to no avail, for software developers to make applications work properly in standard user accounts and to stop writing files outside the user profile. You couldn’t even change the time zone in Windows without being an administrator. Changing the system clock should be an admin privilege because it lets you change the timestamp on a file you’re creating, and for malware that’s a handy way to cover tracks. But, if you need to be an admin to do basic things, everyone is going to run as admin all the time.
With Windows 7, settings were re-evaluated so that users only need to elevate from standard to admin credential for changes that really affect the system. So, basically, you don’t have to run the risk of being all admin, all the time.
Even when you log in to Windows with an admin account, Windows 7 and Windows 8 only use the standard user token in your account for running software and performing tasks. It’s only when you hit a task that needs the admin credential, that it gets used. And unless they’ve changed the UAC settings with previous Vista frustrations in mind, they’ll get to see that something wants deeper access to the system, and decide whether that’s legitimate. It doesn’t protect you from everything, but it makes it a little bit harder for things to go wrong.
Admins will want to remember the right-click trick: in Windows 7, and even on the Windows 8, right-clicking on a program icon in the Start Screen gives you the option to run it as admin without waiting for the software to ask Windows to ask you. And if you love PowerShell, the File menu in Windows 8’s File Explore has options to open both the command prompt and PowerShell as admin, with the path set to the location of the directory you have open.
You want to apply the same principles to your backend systems too. Just as you wouldn’t give a user an admin account on the server when all they need to do is use the file share, not every admin needs to be an admin on every server and application you have. In many cases, the database admin shouldn’t actually have permissions to see what’s in the databases they administer.
That’s for their own protection. If confidential information goes missing, wouldn’t you rather be able to prove that there is no chance you’re the person that lost it, accidentally deleted it or even gave it away deliberately, because you don’t even have access? The thing to remember is that a privileged user doesn’t always mean the same thing as a trusted user, even when they’re another admin.
Know the difference between privileged and trusted
Keeping this difference clear lets you delegate tasks more safely. Exchange Server 2013 has 85 different management roles built in, so you can allow users to update their own personal information (like their phone number), let managers decide who goes in distribution lists, have someone in the legal team handle retention and legal hold policies, and keep complex settings like transport rules for the mail admins.
If you’re using policy tips, Information Rights Management and Data Leakage Prevention rules to manage how information is shared and sent, you might have specific people who get to decide what rules apply to your business (are you covered by PCI regulations or just the general data protection rules, for example).
Similarly, you can delegate control of SharePoint team sites to managers, and get HR to determine who goes in which Active Directory group based on their job, without giving them rights to change the schema or mess around with the domain controllers. (If you’ve found that out the hard way, remember Quest’s free Object Restore for Active Directory tool can save you a lot of pain).
This is even more important in the cloud
Now that so many business users are signing up for cloud services themselves, you might also want to think about managing the privileged and admin accounts for those services as well. If you need to manage access and allocate administrative privileges for your on-premise servers, your VMware infrastructure, Amazon Web Services and Office 365, you don’t want to use a different set of tools to manage the same set of users for each service. Look at a privilege management tool like Xceedium’s Xsuite, which can now manage everything so you can control who can change the Exchange transport rules and who can scale up instances on AWS through the same system.
The cloud is giving you a whole new set of admins and superusers to worry about. You should treat that as an opportunity to be more disciplined about who gets access to what admin tools across the entire infrastructure. If you’re not making those choices, you’re just storing up security problems and late nights spent fixing the damage those privileged users can do by accident.