Privileged Accounts Guidelines

UC Berkeley security policy mandates that all devices connected to the UCB network comply with Minimum Security Standard for Networked Devices.  The recommendations below are provided as optional guidance to assist with achieving the Privileged Accounts requirement.

Requirement

Users must not log in as or use a super-user (Administrator, root, etc.) or equivalent account for activities that do not require such access, and network services must run with the minimum necessary privileges, except in the following case:

Devices that do not support separation of privileges

When working on devices that do not provide separate facilities for privileged or unprivileged access (e.g., some network appliances and printers with embedded operating systems)only stay logged into the device for as long as necessary to perform the administrative task, then log out.

Background and description of risk

Privileged access gives a user the ability to perform any task on a device without restriction and is necessary for the provisioning and administration of the device. For the following reasons this access should only be used for the duration of those activities that require it:

Accidental Use

Privileged access bypasses access controls, so errors made by a privileged user may have catastrophic consequences, resulting in data loss or significant downtime. For example, on a Unix system, an extra space may turn “rm –Rf /tmp/olddata” into “rm –Rf / tmp/olddata”, deleting the entire file system. Limiting the use of privileged access to only those times when that access is required reduces the likelihood of this type of error. 

Malware

Many types of malware infect and spread by changing system configurations and installing new services, two activities that are generally limited to privileged users. When reading email, browsing the web, or accessing files as a privileged user, any malware a user encounters will also run as a privileged user, bypassing all access and security controls.

Besides the risk associated with unnecessary use of privilege by a user, network services that run as privileged accounts present as significant risk as well. If exploited, a vulnerability in a network service running as a privileged user will grant the attacker privileged access to the device, bypassing all access and security controls.

Recommendations

Use sudo or Run As… instead of logging in as a super-user or using an equivalent group

Instead of logging in as a super-user or placing a user account in a group that provides privileged access, utilize operating system features such as “sudo” (Unix/OSX) or “Run As…” (Windows) which allow for temporary escalation of privileges. If these features are not available, practice rigorous self-discipline and only log in as a super-user when necessary.

Troubleshoot software that requires privileged access

Some software, particularly legacy software on Microsoft Windows, does not run unless the user is in the Administrators group. In many cases, file and registry access monitoring tools such as Microsoft Process Monitor or Sysinternals FileMon and RegMon can determine which access controls need to be changed to allow the software to run as an unprivileged user.

User Account Control (UAC) on Windows 7

Utilize UAC on Windows 7 to allow unprivileged users to escalate privileges for legacy software that must be run as “Administrator”.