There is no question that administrators need an account with elevated permissions so they can effectively manage and care for the domain and users. For this blog, let’s call that account the “Superman” account. However, security best practice is increasingly calling for administrators to have a second account that they use to perform their daily tasks, such as surfing the web, checking email, or submitting their timesheet. In other words, they should have a “Clark Kent” account to go along with their Superman account. Having performed penetration tests against organizations that have this in place, and those that do not, I notice a major difference in the overall security posture of those that do. Therefore, I recommend that everyone use two separate accounts for the administrators in an organization. Let’s discuss.
Why It’s Necessary
It goes without saying, that if the Superman account is hijacked, the entire domain is compromised. Therefore, it is important to take as many precautions as possible to protect these types of accounts. This includes limiting their use to reduce their exposure as much as possible. There are several reasons for this. First and foremost, some of the things you do on a daily basis are inherently more risky. Browsing the web, what if you find yourself on a malicious website or even a good website that is running bad advertisements? Or what if you fall victim to clicking a link in an email that you shouldn’t have? It is easy to sit back and say that you know how to avoid it and this will never happen, but all administrators I have talked to think they don’t have to worry about the “kryptonite” in this case until they do. Second, if you are logged into that account and using it, the hash for that account may be flying across the network without you even realizing it. Check out our blog on NBNS/LLMNR spoofing for more information on that. Finally, what if you get up and walk away from your computer without locking it? Sure, you’re probably right in assuming no one is going to mess with you and you trust your coworkers. The simple fact is, if any of these things happen, there is a chance your account can be compromised. If it is your Clark Kent account, the attacker doesn’t have the keys to the kingdom, there is more work they have to do. If it is the Superman account, you’re in trouble.
Using Two Accounts
A fairly simple solution is to use two accounts, a regular domain user account (Clark Kent) and a separate domain administrator account (Superman). Then, your administrators should primarily log in with their domain user account, which does not have any special or elevated permissions, and they elevate to their domain admin account for specific activities or limited times when the task at hand requires it. When your administrators need to perform an administrative task, most of the time they can just right click -> Run As -> and then login with their Superman credentials. It is also really important that the password is different for each of these accounts, or separating them won’t do you much good. Overall, this may slightly increase their overhead and administrative burden during normal tasks, but the increase in security you get in return is definitely worth the consideration and slight inconvenience.