The Perils of Full Administrator Rights

Written by

Gaining access to administrative rights is one of the most potent weapons for any malicious agent. Entry to these controls allows cyber-criminals to install or change any software on employees’ machines.

Forrester’s 2016 Wave on Privileged Identity Management revealed that 80% of all data breaches involve the use of privileged credentials in some manner. In today’s world of increased cyber risk, understanding and limiting the number of users with full administrative privileges is essential for all organizations.

Business leaders should know that limiting administrator rights should be an essential part of their IT infrastructure in order to secure access to system controls. However, many companies are not putting appropriate measures in place to counter the threat of unchecked admin rights since they simply aren’t aware of the risks they pose. Here are some of the common ways full administrator rights expose your organization to cybercrime. 

Access all areas and invite others
Admin rights enable users to install new software, add accounts and amend the way systems operate. Full administrator rights allow users to own any file on the network – privileges always beat permissions.

Therefore this means that admin users can change ownership of relevant documents or folders and either restrict access, copy or transfer data without other authority, or tamper with protected security policies.

By offering the ability to directly access and change specific registry keys, admin rights allow users to navigate around Group Policy Object settings and other central management policies whenever they choose. Local admin users potentially always have access to all areas.

The freedom to create new accounts and set privilege levels means that any compromised local administrator account can create multiple new local admins in future. This access poses a serious risk to security, with the potential to give lasting access to malicious users, whether internal or external, as well as any accomplices. 

Laying traps
Once a malicious individual gains access to a user’s desktop, they can turn their attention to corrupting the entire corporate network. With the ability to freely access any part of the operating system or network, miscreants with admin privileges can also prepare 'traps' for users with higher privilege, such as domain admins.

Unrestricted admin rights, therefore, pose a significant risk around privilege escalation attacks and lateral movement. The ability to manage certificates for the local machine means admin users also risk exposing others to phishing and man-in-the middle attacks.

For example, by installing a fake certificate authority, malicious users can trick others into believing they are visiting trusted sites or receiving information from a trusted source, leading to the gathering of sensitive information or the installation of malware. 

Spying on the network 
Capturing network traffic allows the potential for admin users to find vulnerabilities within a network. The use of port scanning tools is a common means for those with administrative privileges to identify network services running on a host and to shore up their defenses. But in the wrong hands, this will also allow malicious users to find and exploit vulnerabilities in the corporate system. 

Covering tracks
The freedom to install, update or remove any application or software can inadvertently leave the IT environment open to vulnerabilities. End-users do not necessarily know the full implications of their actions; this unawareness can pose a serious risk to system stability and data security.

One example is that admin users can create scheduled tasks to run as System: applications can be configured to run bypassing User Account Control protocols, while processes can be run as Systemtoo. This means malicious software can be embedded and set to trigger in future, running in the background to existing applications.

The ability to make any changes within an IT system offers cyber-criminals the ability to cover their tracks in cases of misdemeanor. They can delete applications, system and security event logs to cover up any wrongdoing with relative ease.

These examples show that once a hacker infiltrates an endpoint with full administrator privileges, they can quickly wreak havoc within an organization, and the best can remain undetected.

According to Gartner vice president and distinguished analyst Neil MacDonald, privileged account management should be a top security project CISOs should have on their list for 2018. IT leaders must balance increasing security measures while granting users the freedom to complete their work efficiently and this is where endpoint privilege management can play a crucial role.

Operating in an environment of 'least privilege' means organizations can develop a stronger security posture, without the need to limit operational agility. Businesses must understand that withdrawing administrator rights will reduce the attack surface for malicious individuals while maintaining the ability of personnel to be productive in their role.

What’s hot on Infosecurity Magazine?