Admin Rights

Administrator (Admin) rights are a high level of privileges that allow a human or non-human account to perform most or all functions within a particular system, network, or tool. Admin rights can enable accounts to execute actions such as:

• Installing/uninstalling software

• Modifying configurations and system settings

• Managing user accounts and assigning permissions

• Accessing sensitive data

• Changing device settings

• Configuring security controls such as firewalls and antivirus software

While this level of superuser access is essential for properly managing IT environments, it represents a high level of risk, especially if an attacker is able to gain admin access within a system. The BeyondTrust Microsoft Vulnerabilities Report found that roughly 75% of critical Microsoft vulnerabilities, even in the absence of patching, could have been mitigated simply by removing admin rights.

Types of admin access can vary based on role, domain, and system. A few examples of admin access types include:

• Local Administrator Accounts: which enable a user to make unrestricted changes to a specific Windows computer. While seemingly limited in scope, local admin accounts can be used to perform high-privilege actions such as accessing and exfiltrating all files on the device, making significant changes to the system such as disabling features, and installing any application.

• Root: which is the highest possible access on a Unix-based system (Mac, Linux, etc.) and allows a user to make unrestricted changes to the system.

• Global Administrator Accounts: which provide the highest possible access within a Microsoft 365 environment, allowing a user to make unrestricted changes across a multi-domain environment, such as resetting passwords for all users, adding and managing domains, etc.

• System Administrator Accounts: also known as ‘sysadmin’ or ‘super admin,’ which are the highest possible permissions that a user can have within a particular domain, such as a specific cloud environment, platform, or tool.

• Break-glass Accounts: which enable users to bypass normal operating constraints to gain administrative access in an emergency situation.

• Shadow Admins: which are overlooked, hidden, and often, inadvertently created accounts. Privileges could be deeply nested or enabled via a misconfiguration.
  

While all of the admin accounts mentioned above are commonly associated with human users, modern environments also leverage a growing number of non-human identities (NHIs) and accounts such as service accounts, system accounts, machine accounts, and application accounts. These machine identities, which mainly exist to automate key tasks or facilitate interaction between various applications and services, are now estimated to outnumber human identities at the typical enterprise by a factor of 10 to 50, or even more, depending on the study.

To support operations across an organization, machine accounts require some level of admin rights, such as permissions to access or alter data, log into databases, servers, and other key services, and scale workloads and containers up or down as needed, in a cloud environment.

Admin rights leveraged by such non-human accounts pose several unique risks, including:

• Lack of visibility into the machine identities that exist and which permissions they have, due to unclear ownership.

• Less oversight into actions, as non-human identities run autonomously at a greater speed and scale. While human accounts are only used during specific times of the day, machine identities may operate continuously and unobtrusively, which can make it more challenging to detect anomalies.

• Fewer security measures than are commonly seen in human accounts with admin rights. For instance, machine identities lack the traditional multi-factor authentication (MFA) protection that requires human interaction.

• Heightened potential for exposed or stale secrets. Machine credentials for privileged processes may not be rotated as frequently as privileged human credentials, or at all. This is due to impracticality or fear of causing downtime by disrupting processes that rely on fast, high-scale synchronization. Moreover, machine credentials are often embedded in code for various reasons, one of which is that machine-to-machine communication often requires unattended authentication.

Because of these added risks, organizations should consider how to closely manage and secure machine identities.

• Discovering which identities have admin rights. Organizations must first discover which human and non-human identities have admin rights within their systems, across on-premises and clouds. It’s important to uncover admin rights throughout the entire identity estate, including for shadow admins, which can pose a hidden risk.

• Removing unnecessary admin account rights. After discovering which identities have admin rights, teams should enforce the principle of least privilege by removing any admin rights that are overly permissive and unnecessary for the human or non-human identity in question to perform day-to-day roles.

• Implementing just-in-time access. One important step beyond just removing unnecessary rights is also restricting when those rights can be used. Organizations should remove all standing privileges for human accounts, and as much as is feasible for machine accounts. When users only have the ability to execute admin-level actions at the exact level and amount of time needed, it significantly limits the threat windows during which those privileges are active and ripe for misuse or abuse by a threat actor.

• Managing credentials and secrets to protect admin accounts. It’s also paramount to protect accounts with admin rights from risk of credential hijacking. If an attacker can access an account with admin rights via credential or secret misuse, they are then able to perform high-privilege actions, including disabling security controls, exfiltrating sensitive data, moving laterally, escalating privileges, and much more.

• Removing local admin access. Local admin rights are often unneeded to perform routine tasks such as browsing the Internet or using approved applications. Yet, it's common for regular users to have local admin access by default, which poses considerable risk. For instance, users with admin rights could accidentally download malicious software via phishing or another type of social engineering, or unintentionally share or delete crucial data, files, or programs. Additionally, if a threat actor gains control of a local admin account, they can access and exfiltrate all files on the device, make changes to the system such as disabling security features, and install malware. If connected to a corporate network, any of these risks could affect the network at large.

• Monitoring high-privilege activities. It’s important to collect an audit trail of all high-privilege activities to prove compliance and flag suspicious behavior as early as possible.

• Implementing application control. With app control best practices such as blocklisting, allowlisting, and leveraging Trusted Application Protection (TAP), organizations can ensure that only authorized applications are allowed to run within their systems.
  

Enterprise software toolsets for removing admin rights typically fall within the privileged access management (PAM) discipline. These solutions also manage the privileged identities, accounts, credentials/secrets, sessions, and processes related to granting and using admin rights and entitlements. PAM solutions can be installed on-premises or offered in the cloud as SaaS.

Key PAM tools / subdisciplines for protecting admin rights include the following:

• Endpoint Privilege Management (EPM) solutions, also known as Privilege Elevation and Delegation Management (PEDM), empower organizations to remove admin rights, enforce least privilege, and implement application controls.

• Privilege Account and Session Management (PASM) solutions can also help teams protect admin accounts and the privileged sessions in which admin rights are used. These tools leverage a centralized password vault or safe to secure privileged accounts and credentials including user passwords, machine / application passwords, secrets such as API keys and SSH keys, and much more. They also offer privileged session management for managing and auditing all sessions that involve elevated access and permissions, ensuring that the actions taken when using admin rights are monitored properly.

• Cloud Infrastructure Entitlement Management (CIEM) solutions enable organizations to right-size admin permissions and entitlements across clouds, at scale.

Modern PAM solutions also provide advanced AI-driven analytics over admin rights and entitlements, helping organizations pinpoint, prioritize, and remediate the highest risk admin issues, including shadow admin accounts typically overlooked by other tool classes.

Want to gain better visibility and control over admin rights? Contact BeyondTrust today.