User roles – Why they should be secured

In previous articles, we have talked about the importance of restricting who can access what on your business networks.  Another important thing to consider is who can DO what. This is where User Roles come in.

By default, on a normal business-grade Windows network, the Domain Administrators have almost full control over everything. It is important to keep this role secure as a compromised Domain Admin account would be disastrous for any network. Some users may request or insist that they be granted admin rights so that they can perform their role more efficiently, without some of the security roadblocks your IT department may implement. These security measures are there for a reason though, and there is almost never a good reason to give domain level admin access to normal users. In the event where a user legitimately does need elevated access, a local administrator role – one affecting only their workstation – should suffice.

What is the risk?

Having insecure user roles can open your network up to a variety of attacks. In an event where all users have elevated access, a single compromised account would be disastrous. The same is true for malware such as crypto locker variants. If a user triggers an infection, generally anything they have access to is at risk. Due to this, it is worth considering the Principle of Least Privilege. This is the idea that a user should only have access to the absolute minimum required to do their job and nothing more. The benefit of this is that it reduces the potential attack surface presented by any single user.

What measures should you take?

To maintain organisational security, it is important to establish and follow a set of guidelines. Some common suggestions are:

  • Disable the built-in administrator accounts on your servers and replace them with custom named ones, preferably avoiding names like “admin”, “administrator”, etc.
  • Domain Administrator roles should be reserved for specific accounts which are not shared or used by standard employees.
  • Limit employee access to only what they need.
  • Considering familiarising yourself with and implementing the Principle of Least Privilege