Going Wild With Administrative Accounts

  • Article

Today I got a question that reminded me that I have not written a whole lot about how to manage the accounts used by system administrators. The question was whether I could think of any reasons why you would share an administrative account between several people, other than for the sheer convenience of it.

My answer is that I cannot think of such a reason. There is one edge case, used in ultra sensitive environments, where you share an account between multiple people, but each of them knows only a portion of the password. This is not done for convenience though, it is done so that no single one of them can make changes without the others knowing. The system could only be compromised through collusion between them.

Other than that, I cannot think of a single good reason for sharing administrative accounts. In general, there are two extremes when it comes to this. On the one side is a single account, used by everyone, for every purpose on every system. On the other extreme is an account per purpose, per person. Somewhere in between is the happy medium.

We have tried getting closer to the multi-account extreme here at Microsoft, but it is causing some pain for administrators. We also use Smart Cards for high level administrative accounts. I have heard of people who have as many as 28 of these Smart Cards to keep track of. This obviously inreases security on one side, but at the same time, you have to imagine that the administrators will eventually start looking for ways to circumvent the policy for their own convenience, thereby decreasing security. One might argue that they should be able to deal with this level of complexity and that this is why we pay them so much, but as most people do not think they are paid enough, they will try to make life easier on themselves.

Where exactly the happy medium is probably differs by environment, with risk management philosophy, and with the quality of the administrators. However, unless you start with some form of analysis of the security requirements of the systems, and classify the systems into different categories of requirements, there is very little chance to get a reasonable division of the accounts. Again, risk management and thinking about the security requirements underlies all the other things we do.