"Temporary" Administrators

Several times in the past year someone has brought up an issue where they needed to “temporarily” grant someone administrative privilege to a system or a domain. Each time my answer has been the same: “why not just put them in the Administrators group then and leave them there?” The response to this is invariably that they do not trust the people to be administrators.

The crux with that issue is that there is no such thing as a “temporary administrator.” A malicious user that is an administrator for long enough to execute a couple of lines of code will have those privileges until the system, and all those that have two-way dependencies with it, are rebuilt. A couple of lines of code, maybe just one if you are good, is all it takes to permanently remain an administrator. Hence the reason for my question: if you do not trust someone enough to make them a bona fide permanent administrator then you do not trust them enough to make them a “temporary administrator.” In that case, you need to find another way to do what it is they need to do.

Keep in mind too here that we are not just talking about malicious administrators here. If you are an administrator, and make a mistake while you are an administrator, that mistake may remain even after you remove yourself from the administrators group. Maybe that requires an example: let’s say you are building a new system. To install everything you add yourself to the administrators group. While you are installing all the patches you need you decide to surf the web to check out some site, but accidentally fat-finger your favorite web site and end up somewhere you did not intend to. In a worst case scenario that site takes advantage of one of the patches you have not installed yet and installs some rootkit on your system. You quickly hit ALT+F4 to close the site, finish installing the patches and take yourself out of the Administrators group. Is the rootkit now gone? Noohooo. It is still there, and will remain there until you use the rootkit removal tool: format c:\ (from neutral read-only media).

Comments (9)

  1. Anonymous says:

    [out of date post… this deals with MS Atlas CTP… which has been change drastically and is now MS

  2. Anonymous says:

    In case you missed it, I’ve had a pretty cool conversation with Steve Maine in the comments portion…

  3. Anonymous says:

    I don’t agree with this 100%, and I think the word trust may need defining.  Do I trust them to do something…

  4. Patrick says:

    I actually think what Jesper is saying that if you have to define your trust in the person ..

    "I trust them to do X but not Y"

    means you should like at other ways of solving the problem.

    An Admin has a position of absolute trust within a system and if you place caveats on that trust then perhaps you should look at other solutions.

  5. vermin says:

    I would go with what Patrick says – sometimes users are granted temporary admin rights just because admin is too overwhelmed with other tasks, (not to say lazy).

    So with security aware admins this situation should not happen, because there are possibly no situations where admin should allow granting rights domain-wide. Because of some stupid apps, it is to consider granting rights on local workstation, (if those dev-people are physically in their own zone or their network is monitored…), but otherwise?

    BTW,  admin as a position of trust – if the system is monitored/logged, and some alarms are set, when the audit logs changing ownership on dedicated nodes, then I wouldn’t say, that admin has "a position of absolute trust". It would be absurd, if an admin in a network would have an easy and absolute access to, let’s say financial data…

  6. Bernd Eckenfels says:

    I totally agree, that you have to trust a person if you make it (Domain) Admin, because you cannot "revoke" that right. However it makes perfectly good reasons to use least priveledged accounts for daily work. So if somebody does not need to be admin anymore, she should not be admin.

  7. Louis says:

    UNIX/Linux systems have the sudo command to grant privileges to execute a specific command.   It works quite well in providing the needed fine grain control to allow a specific user the needed access to proform a specific task.  Perhaps MS could create an equivalent Windows based interface.

  8. Jesper says:

    Louis, we already have a very similar command in "Run As…" (runas.exe). The problem is not that. The problem is the perception that if I make someone an admin for just a short period of time I do not need to trust them as much as if they are permanently an admin. I am absolutely not advocating against least privilege. I am simply saying that if you do not trust someone to be an admin permanently then trusting them to be one for a short period of time is a bad idea.

    That being said, you definitely should make people several accounts so they can be an admin when they need to but not all the time. In XP that is doable for many people, but hard for some. In Vista it will be a lot easier.

  9. JB says:

    I agree with the risk both from the threat of a malicious user and making systems more vulnerable to malicious activity such as rootkits.

    Thankfully, I have been able to root out all the users running as local administrators on my network, but there has definitely been some cleanup regarding malware after the fact, since once that stuff has a foothold, your "rootkit removal tool" is almost always the final solution.