Superuser accounts are highly privileged accounts primarily used for administration by specialized IT employees. These users/accounts may have virtually unlimited privileges, or ownership, over a system. Superuser account privileges may allow:
full read/write/ execute privileges
creating or installing files or software
modifying files and settings
deleting users and data
In Windows systems, the Administrator account holds superuser privileges. Each Windows computer has at least one administrator account. The Administrator account allows the user to install software, and change local configurations and settings, and more. Standard users have substantially curtailed privileges, while guest user accounts are generally limited even further, to just basic application access and internet browsing.
In Linux and Unix-like systems, the superuser account, called ‘root’, is virtually omnipotent, with unrestricted access to all commands, files, directories, and resources. Root can also grant and remove any permissions for other users. Mac OS X, is Unix-like, but unlike Unix and Linux, is rarely deployed as a server. As a default, Mac users run with root access, though, as a best security practice, a non-privileged account should be created and used for routine computing to reduce the potential and scope of privileged threats.
If misused, either in error (i.e. inadvertently deleting an important file or mistyping a powerful command), or with malicious intent, superuser accounts can inflict catastrophic damage to a system/organization.
While most security technologies are developed to protect the perimeter, superusers are already on the inside. Superusers may be able to change firewall configurations, create backdoors, and override security settings, all the while erasing traces of their activity.
Inadequate policies and controls around superuser provisioning, segregation, and monitoring further heighten risks. Database administrators, network engineers, and application developers are frequently given full superuser access. Users often share superuser accounts between them, which muddles the audit trail. In the case of Windows PCs, users often log in with administrative account privileges—far broader than what is needed.
In one of the more notorious tales of a rogue insider, Edward Snowden, an IT contract worker for the NSA, abused his superuser privileges to access, copy, and leak over 1 million highly sensitive NSA files. In the wake of this scandal, the NSA targeted 90% of it system administrators for elimination, to better establish a least-privilege security model.
Hackers covet superuser accounts knowing that, once they assume these accounts, he/she essentially becomes a highly privileged insider. Additionally, malware that infects a superuser account, can leverage the same privilege rights of that account to cause damage and steal data.
Organizations looking to rein in and protect superuser accounts will implement some or all of the following best practices:
Enforce least privilege access: Limit superuser membership to the minimum people. This can mean temporarily elevating privileges temporarily when needed, but without granting full superuser rights to the account. In Unix and Linux systems, the sudo command allows a normal user to temporarily elevate privileges to root-level, but without having direct access to the root account and password.
Segment systems and networks: By partitioning users and processes based on different levels of trust, needs, and privilege sets, you can constrain where and how a superuser can act.
Enforce separation of privileges: This will entail separating superuser functions from standard account requirements, separating auditing/logging capabilities within the administrative accounts, and separating system functions (read, edit, write, execute, etc.).
Enforce superuser password rotation and security: Passwords should meet rigorous security standards. Passwords should be regularly rotated, including after each use for the most powerful accounts.
Monitor and audit all superuser sessions: Record, log, audit, and control all superuser session activity to provide accountability and meet with compliance demands.
Privilege Access Management (PAM), also called Privileged Identity Management (PIM) or just Privilege Management, involves the creation and deployment of solutions and strategies to manage superuser and other types of privileged accounts across an environment. PAM solutions:
Discover all superuser and privileged accounts
Enforce least privilege (remove admin rights)
Superuser privilege management (SUPM) – granular control over privilege elevation
Enforce password security best practices for superuser accounts
Audit all superuser session activity