Being held to account

  • Article

Hi there

Sorry that it has been a little while since my last post. I have been away at a customer’s site. As usual, I can’t say where I was or what I was doing but I left at 3 hours notice to go there and spent pretty much an entire day in an economy class plane seat. I thought that I would share a few tips if ever you find yourself in the same situation.

The first is that the quickest way to pack seems to be the most expensive. On the way to the airport, stop at a shop that sells clothes, toiletries and suitcases. Buy all of these things. At the checkout, put the suitcase on the conveyer belt first. Pack the clothes and toiletries straight into the case. Job done.

The second is to remember that the seasons change if you change hemisphere. I forgot that bit.

So, it wouldn’t be my blog without something technical so I would like to discuss user accounts and malware. That is not as dull as it sounds.

Let’s start with a question. How many accounts should a user have? The obvious answer is 1. One person, one account, makes good sense. However, this is not true of people with multiple roles. If someone is a domain admin or an enterprise admin, they shouldn’t be using that account for anything other than the most essential work. In that case, the user needs one account per role so that they are not reading emails and surfing the web with an admin account. It sounds obvious and maybe it is… but you would be amazed how often we find that people forget to do that… and these are people who end up talking with me. You can guess that things did not go well given that.

How about another question? How many accounts have no people associated with them? That is a tougher question. It will depend on your network and what you are running but you will need service accounts. What rights those accounts need will vary but you will be doing yourself a favour if you give them as few rights as possible and an interactive logon is definitely not a right that they should have. Please, humour me while I talk about how malware (including hacking tools) gets on boxes.

The main vectors are:

1. Users running random files from bad people on the internet. These come via web-browsers or email.

2. Browser exploits. We patch it for a reason. Our competitors do the same with theirs.

3. SQL injection attacks

4. Exploits of services

Limiting account rights can help in case 1 and 2 but causes some user pushback and so negotiation is needed – but recall what I said about admins needing 2 accounts. 3 and 4 involve no user pushback and is a quick win. Clearly, a service account should have no more rights than it needs and everyone knows that. However, developers frequently test applications using domain admin accounts… and when it is time to deploy, the tendency is to deploy in the configuration that you tested in and tighten it up later. This is the same later when you will do the documentation, fix the last bug and go for a long holiday in the sun. I am still waiting for those “later”s from previous companies where I worked.

So, if malware gets in to a service which has high rights, it has high rights. If it runs as a domain admin, every system volume is an open book, every registry its registry. It can and does spread like wild fire.

Choosing rights carefully has no effect day to day but it can save your skin if something gets in to the network. If things are a little quiet as summer winds down, perhaps this is the perfect time to review the rights of your service accounts. I know that this is basic advice and obvious stuff… but if it were done universally, I wouldn’t have had to leap on a plane last week.

Until next time

Mark