One of the most important principles of cyber security is Admin of One. By reducing the number of devices a password can manage to a single device, the impact of a single admin password being compromised in a cyber attack such as ransomware can be drastically reduced.
When ransomware gangs attack company infrastructure one of their first goals is to obtain admin credentials that work on as many devices as possible. They typically gain a foothold using standard user credentials on a single device, then look for vulnerable paths through which they can steal access to additional accounts, including device admins and domain admins, and then use the new accounts to encrypt the file systems of as many devices as possible.
We often think of domain admin access as the attackers’ goal and protect only against that. Still, a single user account with administrative privileges on many devices can pose just as significant a risk. If a non-domain admin user has admin access to every device, compromise of that account can be used to achieve the same outcome – encryption of everything.
The Typical IT Admin Setup
There are two common ways that IT Teams implement administrator access for servers and end-user devices. The first is to create a single generic ‘support’ account and add it to the local ‘administrators’ group everywhere, then share that password across the IT support team. The second is to add individually named accounts for each member of the team such as ‘Jane.Doe’ and ‘John.Smith’ to the local ‘administrators’ group on everything. Often this is done by adding a security group such as ‘SG – IT Service Desk’ and adding the team’s accounts to that group.
This is bad because the compromise of a single account can be used to make changes or encrypt everything that the account has admin access to. Even if the individually named accounts are separate from everyday work accounts used to read email and browse the web (admin-jane.doe), the risk is the same. Once a single password is obtained, everything is compromised. This is what we describe as a high blast radius.
Admin of One
With ‘Admin of One’, each administrator account can only manage a single device. This is the default behaviour of a Microsoft Windows install on a workgroup or domain-joined computer. Aside from Domain Admins, which by nature, can manage everything in the domain, when you first set up a computer the default Administrator account has a unique password and is the only account that can manage a PC or Server. It’s the things that we do afterwards that cause us problems.
Microsoft released LAPS – Local Administrator Password Solution to automate changing the default Administrator account password frequently.
Limiting an administrator account to a single device moves us from a high blast radius to a low blast radius. Compromising a single admin account only results in the destruction of a single device. The affected computer may be toast, but the damage cannot spread to other machines on the domain, at least through admin-level access. (Overly permissive network shares are still a problem, but we’ll talk about that another time).
LAPS is a great solution, but it may not be the best for all organisations. For that reason, companies like BeyondTrust and Cyberark offer various solutions for privileged access management to servers and end-user devices. The important thing is to choose a solution that enables you to make it easy for the right people to check out admin passwords when they need them, and no one else. A second factor of authentication (MFA) should be enforced before your IT admins are permitted access to an admin password. This proves that the person requesting access is truly the person authorised to do so as they must physically have the MFA device in their possession. Should an attacker request an admin password they won’t have the MFA device required to approve it. The solution should also rotate the account credentials after they are used so that they cannot be used again in future.
One tip to make life easier, local accounts on devices such as the built-in administrator account on computers do not have access to network shares. This makes it difficult for IT Admins to move files around the network such as installing software from a central location. To make the lives of your IT team easier, domain users should be used, particularly on servers, so that a device admin is domain authenticated and can perform tasks within the domain environment. A good way to implement this is to create OUs dedicated to the implementation of device admin accounts and prefix the account name with the device name. E.g. FILESERVER03_Admin1. This account is then added to the local ‘administrators’ group of FILESERVER03 and nothing else!
Never use Domain Admin outside of Domain Controllers
Admin of One only works if you protect your domain admin accounts appropriately. As mentioned earlier, domain admins have admin access to everything, but that doesn’t mean that you should use take advantage of it. Any time you use domain admin credentials on anything other than a domain controller you are exposing those credentials to the device. Should that device be compromised, your domain admin account is compromised too and ransomware can spread easily. For this reason, domain admin accounts should only ever be used on domain controllers for domain administration work.
Instead, stick with the Admin of One principle to create a low blast radius for the loss of any admin accounts and ensure that all admin accounts manage as few devices as possible. There are exceptions to this rule such as clustered services where admin accounts must be able to manage all devices in the cluster, but the principle is the same. One admin, one device.
