Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

The Law Of Unintended Consequences

December 21, 2011

  • Blog
  • Archive
It's been a long while since I've logged into a UNIX box at the console or via telnet. But back when I was first learning my way around UNIX in the late 80's and early 90's, I vividly remember the nearly universal greeting when logging in as root: -------------------------------------- login: root password: Don't login as root, use su. # --------------------------------------- That short bit of advice whenever I logged in as root stuck with me. I didn't always obey it, and usually I ignored it at my own peril. I remember many times when I really wish I hadn't been root when installing random software or just going about my business, and the law of unintended consequences reared its ugly head. When I began using Windows NT in earnest, and then Windows 95, I noticed immediately that this simple principle simply seemed to be missing. It was always assumed that if it was your machine or server, that you would naturally have administrative rights at all times. Chaos ensued, and I often found myself rebuilding machines from scratch to recover from a relatively simple mistake committed with admin rights. I rapidly recalled those earlier admonishments to use 'su' rather than the root account, and always remembered to create standard user accounts for day to day use. This was really hard in the "old days" of Windows, and some might say it's still a pain in the butt today, though it's become much, much easier with the advent of things like User Account Control in Vista and Windows 7. In those days (and, honestly, still today) I also suffered from a problem that many in the IT world will recognize: that I was the personal IT support department of my family, particularly my dad. Sure, I tried to get him to log in as a standard user early on, in the interest of saving myself some headaches, but of course it didn't stick. I can remember on numerous occasions being summoned to deal with a virus or some other kind of malware that had embedded itself so deeply in the system that even specialized tools were unable to remove it. Oh, if he had only been a standard user it never would have required the multiple reformat and rebuilds that it did. Yeah, you remember. And so we arrive at today.. Microsoft has finally caught up with the decades-old UNIX capability of 'sudo' that is essentially what UAC provides. So life is better, right? Now actions performed as administrator can be logged and patrolled to some degree, but of course some issues have remained. With 'su' you could grant very specific capabilities, such as the ability to run a single application or command as root, without handing over the keys to the castle. UAC still makes this tricky, since unlike 'sudo' it doesn't ask for your user credentials to elevate an application or command, but instead asks for admin credentials. So now we're almost back to square one--where 'su' allows you to empower regular users to do specific things, UAC is virtually an all-or-nothing proposition. This may work fairly well in the home market, but it certainly flops big time in a corporate setting. The bottom line here should be obvious, we here at BeyondTrust make really cool software that allows you to control admin privileges via network policy at a very granular level, and we can solve a huge swath of these problems in a corporate setting. But being new here (this is my third week), I thought I'd kick off the blogging by talking a little bit about my personal history with avoiding root and admin privileges for my day to day work, and why it has always been important advice, both in how I've worked and in the advice I've given to others. Thanks for reading!

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Secure Access

Webcasts

Rising CISOs: Ransomware, Cyber Extortion, Cloud Compromise, oh my!

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.