Blog Post

Why I Say Something about Running as Administrator

,

On a couple of recent webcasts, I pointed out the folks were running with the local Administrator account. To start this out, I'm not a big fan of security by obfuscation. Security by obfuscation (not code obfuscation, but security by obscurity, if you prefer, I'm using the terms obfuscation/obscurity interchangeably in this sense) is where you hide something and hope no one finds it. For instance, you move the port of your web server from port 80 to another port, thinking you're safe. You aren't, as anyone with nmap or another port scanning tool can find your web server. But when it comes to the Administrator account, I prefer to rename it. The reason is fairly simple: you know that scripts, worms, etc., will target the administrator account and by renaming it, you immediately stop those attacks in their tracks. Sure, you'll get the hits in your security event log, but that particular account has no chance of being compromised by such attacks. Yes, the SID is well known, but to identify the right account requires a bit more sophistication in the attack.

Now I must admit, in the cases where I saw the use of Administrator, the presenters were running in a VM with no sensitive data on board. And given that it's not exactly hard to locate the Administrator account, why say anything? It goes back to something I believe Steve Jones said a while back. Basically it amounted to, "Don't tell me not to do something and then do it." If I remember right, he was speaking with regards to presentations. Part of the point is that people will remember what you did. And if you're a parent, you understand that "Do as I say, not as I do," doesn't work so well with kids. I don't think it works very well with anyone.

So the issue is someone who doesn't know better will see the presentation and either not hear or not remember the warning, if one is given. And they see the presenter running as Administrator and maybe the next time they do something, they do so, too. They're in charge of administering a server that doesn't have the administrator account renamed. And they don't think twice about it. Or they've got their own presentation and they repeat the behavior, not seeing it as a big deal because so-and-so did it, so it must not be that important. And a bad practice gets repeated and passed on.

But what about a different account, one that is a member of the Administrators group, just not named Administrator (even the renamed Administrator account itself)? I know there's a lot of folks who say this is a no-no, too. But there are still some key tools (Visual Studio 2005, for instance) that require administrator level privileges. With Vista, UAC gives you some protection, provided you leave it on. Also, with Vista Internet Explorer can (and should) be run with Protected Mode on and with Firefox you can use plug-ins like AdBlock Plus and NoScript to provide additional protection. So I'm not one of those who has as big an issue with that. I still don't like end users with Administrator level privileges, but when it comes to developers, system administrators, and DBAs, a lot of the tools we use just don't give us much of a choice. So it's something we live in and just try to be "smarter tha the average bear (to quote Yogi the Bear).

 

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating