Back in September, we wrote a blog on the importance of using two separate accounts for administrators, one user-level and one administrative. If you haven’t read it yet, it does a great job of explaining why it is necessary and why it’s a security best practice. The lower-level user account should have limited permission and be used for day-to-day activities that are inherently more high risk, such as checking email, surfing the web, and conducting regular business (meetings, powerpoint slides, timesheets, expenses, etc.) The second administrative account should be used only when that user needs to perform a task that requires elevated permissions.
By doing this, the second account (with administrative permissions) is less exposed. The reason we are doing this follow-up blog on two accounts for administrators is that we are seeing an increase in social engineering campaigns designed to steal user credentials. Using separate accounts will reduce the impact of a successful phishing attack by hopefully not exposing administrative credentials right off the bat.
At Triaxiom, when we conduct social engineering assessments we emulate this risk by setting up a fake employee portal and enticing employees to login to the fake portal. In a generic bulk phishing attack we are successful approximately 15% of the time, but if we take extra steps to target a specific individual in a spear phishing attack, that success rate can jump to 40%. So playing this scenario out, if one of your domain administrators who only has one account falls victim to one of these spoofed portals and enters their credentials, the attacker effectively has complete control over your domain. Whereas if you had two accounts for administrators, on the other hand, the attacker would have only compromised a low-privilege user account and would still have to figure out how to escalate permissions on your network. Therefore, even though it may be annoying for your administrators to have to type in a set of credentials every time they do an administrative task, the risk justifies the extra step in this case.