Five good reasons why you can’t risk giving admin rights to your server administrators

By Andrew Avanessian, VP Professional Services at Avecto.

  • 10 years ago Posted in

This article covers the five top reasons why running server administrators with full admin rights no longer represents an acceptable level of risk, explaining why the principle of least privilege means that this is no longer a ‘necessary evil’


In a post Snowden era, enterprise security has been positioned squarely in the spotlight, forcing organisations to reassess who has access to sensitive, business critical data. As respected consultancies such as SANS become increasingly vocal in their recommendations to remove administrative rights, the challenge is to ensure that even the most powerful users in the data centre have the access they need without compromising security.


Migration away from Windows XP has acted as a catalyst for the standard user revolution as global organisations adopt the principle of least privilege, delivering what’s commonly referred to as the ‘least risk’ environment. But server administrators are surely a different kettle of fish: these are trusted, tech-savvy individuals who need to have the ‘keys to the kingdom’ in order to complete their job roles efficiently and effectively, right?


Here are 5 good business reasons why allocating admin rights to server administrators is neither acceptable or necessary in a secure and operationally sound enterprise environment…


1) Your server admins are just like everyone else: They’re not perfect
The reality is that the business impact of, at best, taking down a single server or, at worst, taking down your entire data centre is far greater than the impact of the same scenario on a desktop computer. What are the chances that a server administrator within your organisation could make an accidental misconfiguration when logging on to a server to complete a routine task? How severe could the impact on your organisation’s revenue be should this mistake result in downtime?
Implementing least privilege for server administrators means that they are empowered to perform only the task at hand; if you can deliver the same level of usability and productivity for your admins whilst limiting the potential for costly mistakes, why wouldn’t you provide them
(and the business as a whole!) with this level of assurance?


2) Your server admins deserve to be protected against malware
Your administrators are highly skilled individuals, but those who write malware are some of the most sophisticated developers in the world. Targeted malware could take hold of an admin’s machine without them
even realising it; the growth in 0-day attacks means that detection is incredibly difficult.
How great is the risk to your business should a kernel mode root kit become installed on a server, particularly if it cloaks itself from detection and lies dormant?
User Account Control (UAC) helps to ‘catch’ many security threats but it hinders the ability of your admins to complete their roles efficiently, so it’s common practice that this is turned off whilst work is ongoing: this leaves your data centre environment with virtually no protection against malware during configuration time. Where users run as
admins, permissions mean nothing; malware can circumvent these and proliferate across your network.
According to statistics highlighted in our Microsoft Vulnerabilities Report, 92% of critical vulnerabilities can be eliminated by running users as standard. Would your administrators welcome the opportunity to perform their roles in a more secure way?


3) You need to deliver compliant servers
In line with overwhelming evidence from real-world attack data such as the Top 35 Mitigation Strategies from the Australian Department of Defence, the implementation of least privilege for all users within an
organisation is becoming mandatory under an ever-increasing number of internal and external compliance frameworks.
If you’re subject to the requirements of PCI DSS, Sarbanes-Oxley (SOX), MAS, USGCB, PCN, HIPAA or similar internal mandates,
the implementation of a least privilege environment in the data centre will provide you with an adaptable security strategy which will enable you to hit the constantly moving target of compliance in the long term.


4) Your server admins are dedicated, hardworking, tech-savvy individuals
Your data centre admins are concerned with getting the job done as quickly and efficiently as possible, particularly in break-fix scenarios.
As many organisations move towards removal of admin rights on servers without a least privilege approach, long-winded processes for
the ‘check-out’ of admin passwords have been implemented.
Once you’ve given your well-intentioned users access to a temporary admin account, they will find a way around the approval process so that they can do their job quicker, mitigating the financial impact of delays on the business. They’re tech-savvy, so they’ll know that they
can create a separate, permanent admin account that they can access unaudited in a future break-fix scenario.
Implement least privilege in your data centre environment and your administrators are empowered with the privileges they need to respond to urgent break-fix scenarios, without the need for you to allocate risky admin accounts.


5) Your organisation needs visibility of privileged activity in the data centre
The growing significance of cloud computing, BYOD (bring your own device) and social media renders attempts to secure your organisation’s perimeter ineffective: your data is everywhere. As a result, it’s critical that privileged access to such data can be audited
and reported upon.
Comprehensive knowledge of who, what, when and why is the order of the day and malicious activity, whether carried out by malware or an employee, can easily be identified and blocked through least privilege
reporting tools which put privilege in context. Utilising admin rights to perform a particular task within the data centre isn’t an issue in
itself, but performance of this task multiple times at 3am when it is usually completed in business hours between 9am and 5pm must
be automatically identified and blocked.
Implementing a least privilege solution with integral auditing and reporting will allow visibility of all administrator activity, providing peace of mind that your organisation has an optimally secure data centre environment.

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.