Bad to be logged in as admin all the time?

security windows best-practices

Solution 1:

Absolute best-practice is to Live User, Work Root. The user you're logged in as when you hit refresh on Server Fault every 5 minutes should be a normal user. The one you use to diagnose Exchange routing problems should be Admin. Getting this separation can be hard, since in Windows at least it requires dual login-sessions and that means two computers in some way.

  • VMs work real well for this, and that's how I solve it.
  • I've heard of organizations that login-restrict their elevated accounts to certain special VMs hosted internally, and admins rely on RDP for access.
  • UAC helps limit what an admin can do (accessing special programs), but the continual prompts can be just as annoying as having to remote into a whole other machine to do what needs doing.

Why is this a best-practice? In part it's because I said so, and so do a lot of others. SysAdminning doesn't have a central body that sets best-practices in any kind of definitive way. In the last decade we've had some IT Security best-practices published suggesting that you only use elevated privs when you actually need them. some of the best-practice is set through the gestalt of experience by sysadmins over the last 40+ years. A paper from LISA 1993 (link), an example paper from SANS (link, a PDF), a section from SANS 'critical security controls' touches on this (link).

Solution 2:

Since this is a Windows domain, it's likely the accounts they are using have complete network access to all the workstations, so if something bad happens, it can be across the network in seconds. First step is to make sure all users are doing day-to-day work, browsing the web, writing documents, etc. in accordance with the principle of Least User Access.

My practice is then to create a domain account and give that account admin privileges on all workstations (PC-admin), and a separate domain account for server admin work (server-admin). If you're concerned about your servers being able to talk to each other, you can have individual accounts for each machine (<x>-admin, <y>-admin). Definitely try to use another account for running the domain admin jobs.

That way, if you're doing something on a compromised workstation with the PC-admin account, and it grabs the chance of your having admin privileges to try to get at other machines over the network, it's not going to be able to do anything nasty to your servers. Having this account also means it can't do anything to your personal data.

I must say, though, that in one place I know where the staff worked with LUA principles, they didn't have a proper virus infestation during the three years I saw; another department in the same place that had everyone with local admin and IT staff with server admin had several outbreaks, one of which took a week of IT time to clean up due to the spread of infection via the network.

It does take some time to set up, but the potential savings are huge if you are hit with problems.

Solution 3:

Seperate accounts for seperate tasks is the best way to look at it. Principle of least privilage is the name of the game. Limit the use of "admin" accounts to the tasks that have to be done as "admin".

Related

Running cron every 10 minutes
Are there a terms for difference sizes of log?
Comma positioning between title and name and conjunction
Term to express a range of fluctuation
Social, Political, and Economical in One Word?
what's the difference in meaning between an adjective and the structure "noun + of + article + noun"?
Proper formulation of "contribute to" in subordinate sentence
Why is "Geography's test was difficult" ungrammatical?
Phrase for making an unnecessary purchase before engaging in an activity
Is there an adverb that means "according to my knowledge" or "if I remember correctly"?
Are both of these Raising’s?
Word for sound made by classical music [closed]