"Temporary" Administrators

  • Article

Several times in the past year someone has brought up an issue where they needed to "temporarily" grant someone administrative privilege to a system or a domain. Each time my answer has been the same: "why not just put them in the Administrators group then and leave them there?" The response to this is invariably that they do not trust the people to be administrators.

The crux with that issue is that there is no such thing as a "temporary administrator." A malicious user that is an administrator for long enough to execute a couple of lines of code will have those privileges until the system, and all those that have two-way dependencies with it, are rebuilt. A couple of lines of code, maybe just one if you are good, is all it takes to permanently remain an administrator. Hence the reason for my question: if you do not trust someone enough to make them a bona fide permanent administrator then you do not trust them enough to make them a "temporary administrator." In that case, you need to find another way to do what it is they need to do.

Keep in mind too here that we are not just talking about malicious administrators here. If you are an administrator, and make a mistake while you are an administrator, that mistake may remain even after you remove yourself from the administrators group. Maybe that requires an example: let's say you are building a new system. To install everything you add yourself to the administrators group. While you are installing all the patches you need you decide to surf the web to check out some site, but accidentally fat-finger your favorite web site and end up somewhere you did not intend to. In a worst case scenario that site takes advantage of one of the patches you have not installed yet and installs some rootkit on your system. You quickly hit ALT+F4 to close the site, finish installing the patches and take yourself out of the Administrators group. Is the rootkit now gone? Noohooo. It is still there, and will remain there until you use the rootkit removal tool: format c:\ (from neutral read-only media).