Superuser accounts are highly privileged accounts used primarily for administration by specialized IT employees. A superuser is a user leveraging a superuser account. These superusers/accounts may have virtually unlimited privileges, or ownership, over a system. Superuser account privileges may allow:
- full read/write/ execute privileges
- creating or installing files or software
- modifying files and settings
- deleting users and data
In this blog I will cover some common types of superuser accounts, security implications of these highly privileged accounts, best practices for securing them, and key technologies for managing and protecting superuser accounts.
Superuser accounts in Windows, Linux, & Unix/Unix-like Systems
In Windows systems, the Administrator account holds superuser privileges. Each Windows computer has at least one administrator account. The Administrator account allows the user to install software, and change local configurations and settings, and more. Standard users have a considerably restricted set of privileges, while guest user accounts are customarily limited even further, such as to just basic application access and internet browsing.
In Linux and Unix-like systems, the superuser account, named ‘root’, is virtually omnipotent, with unrestricted access to all commands, files, directories, and resources. Root can also grant and eliminate any permissions for other users. While Mac OS X is Unix-like, unlike Unix and Linux it is rarely deployed as a server. As a default, Mac users run with root access—however, as a best security practice, a non-privileged account should be created and used for routine computing to reduce the scope of privileged threats.
Security Implication of Superuser Accounts
When misused, either inadvertently (i.e. mistyping a powerful command or accidentally deleting an important file), or with malicious intent, superuser accounts can wreak catastrophic damage upon a system or entire organization.
Most security technologies are helpless in protecting against superusers because they were developed to protect the perimeter—but superusers are already on the inside. Superusers may be able to change firewall configurations, create backdoors, and override security settings, all while erasing traces of their activity.
Insufficient policies and controls around superuser provisioning, segregation, and monitoring further heighten risks. For instance, database administrators, network engineers, and application developers are frequently given full superuser-level access. Sharing of superuser accounts amongst multiple individuals is also a rampant practice, which muddles the audit trail. And in the case of Windows PCs, users often log in with administrative account privileges—far broader than what is needed.
Cyber attackers, irrespective of their ultimate motives, actively seek out superuser accounts, knowing that, once they compromise these accounts, they essentially become a highly privileged insider. Additionally, malware that infects a superuser account can leverage the same privilege rights of that account to propagate, inflict damage, and pilfer data.
In one of the more infamous tales of a rogue insider, Edward Snowden, an IT contract worker for the NSA, abused his superuser privileges to access, copy, and leak over 1 million highly sensitive NSA files. In the wake of this scandal, the NSA targeted 90% of it system administrators for elimination, to better establish a least-privilege security model.
Protecting & Monitoring Superuser accounts
Organizations looking to rein in and protect superuser accounts will implement some or all of the following best practices:
- Enforce least privilege access: Limit superuser membership to the minimum people. Ensure that each user has the absolute minimum privileges they need to do their job. This can mean elevating privileges temporarily when needed (such as to an application), but without granting full superuser rights to the user account. In Unix and Linux systems, the sudo (superuser do) command allows a normal user to temporarily elevate privileges to root-level, but without having direct access to the root account and password.
- Segment systems and networks: By partitioning users and processes based on different levels of trust, needs, and privilege sets, you can constrain where and how a superuser can act.
- Enforce separation of privileges: This will entail separating superuser functions from standard account requirements, separating auditing/logging capabilities within the administrative accounts, and even separating system functions (read, edit, write, execute, etc.).
- Enforce superuser password rotation and security: Passwords should meet rigorous security standards. Passwords should be regularly rotated, including after each use for the most powerful accounts.
- Monitor and audit all superuser sessions: Record, log, audit, and control all superuser session activity to provide accountability and meet with compliance demands.
Technologies for Managing / Securing Superusers
Privilege Access Management (PAM), also called Privileged Identity Management (PIM) or just Privilege Management, involves the creation and deployment of solutions and strategies to manage superuser and other types of privileged accounts/access across an IT environment. PAM solutions:
- Discover all superuser and privileged accounts
- Enforce least privilege (remove admin rights)
- Implement superuser privilege management (SUPM) to gain granular control over privilege elevation
- Enforce password security best practices for superuser accounts
- Audit all superuser session activity
To learn how BeyondTrust can help you gain control over superusers and mature your privileged access security program, contact us today.