I assume that most of you know about the principle of least privilege. If not, please read this short blog from Brian Kelley and make sure you understand how you should approach security. In the modern world, we also ought to adapt our systems for the zero trust model, which includes the least privilege principle.

However, I wonder how many of your organizations really follow these security guidelines internally. Are you strict about adding limited access and removing it when people change jobs/roles? If you use Windows Auth (or Entra), are your admins doing that or just adding in new roles? Do you scope down database access roles in granular ways or just stick with 1-2 roles for the most common things people do?

Maybe more importantly, do you use roles or are these systems that still have explicit grants for users?

Microsoft had a major hack recently from a test account that had administrative privileges. While there certainly might be a need for a test account to have privileged access, I'd hope that any test account created had a limited lifetime. I've created privileged database access accounts for vendors, but usually set a reminder to myself to disable the account after xx days. When I got smarter, I wrote a one-time job to do that and scheduled it. These days, I'd also file a ticket for my team noting that this needs disabling as well.

Humans get lazy and often don't think about the future. If you've never had an issue with a test account, why think something might happen? Why spend the time writing a note or a job when surely you'll remember or deal with it later? Maybe more common, why disable a login when the user might need access longer? We don't want to deal with another phone call and enabling the account. That's an interruption to our work week.

What has been humorous to me is that I've seen quite a few people who are very security conscious get annoyed when some automated system or process disables their account and forces them to make a call.

It is annoying. However, these little things, the details, the adherence to good practices are what help ensure we have better security. When we take shortcuts (like not enabling MFA), when we skip steps, when we do small favors for others, we're increasing risk. Most of the time that's fine.

Once in awhile it really comes back to cause problems. I'm not sure the savings are worth it.