I had a call today to answer questions about a security audit we recently finished. The customer had several questions she wanted to go over on our call. The first question concerned our recommendation to create a separate Microsoft 365 account for administrative use. She wanted to know why we made that recommendation. It occurred to me that there are other folks that might like to know the answer to her question. You will not be surprised to learn that it comes back to cybersecurity.
Before I get to the answer, let me explain how we arrived at this spot.
You Say “Lazy” Like It’s a Bad Thing
I complimented an operations director for the way he had automated so much of his work. “No need to compliment me,” he said, “I did it because I am lazy.” He was being self-effacing, but he had a point. Laziness will motivate you to look for the most efficient way of accomplishing a task.
In the IT world, laziness meant creating one administrative account and sharing it with the rest of the team. I am talking about those admin@ type of accounts. If someone did not use an admin@ administrative account, they just used their “regular” account to do administrative things.
You know what else is lazy? Creating an administrative account and assigning global administrative privileges to it. Microsoft used to do this for Microsoft 365 partners (like CGNET) that handle administrative tasks for their customers. (Did you know we could do that?) Microsoft recently rescinded these partner administrative accounts and implemented a workflow to assign just the administrative role that a partner needs when working on a customer’s behalf.
Hackers Love Lazy
Generic administrative accounts. Assigning global administrative privileges by default. Using your “regular” account for administrative tasks. We have done these things for years. Why all the fuss?
Because hackers know you have been doing this. And they have been busy using this knowledge to create ways to break into your network. Consider each of these cases.
Global Administrator Privileges
What can a global administrator (superuser, for you Linux fans) do? What can’t they do? These accounts are the holy grail for hackers. A hacker can use a global administrator account to change security settings up and down the network, making a cozy spot for future attacks. There are two issues with having lots of global administrator accounts.
- Statistics. What is the probability of one administrative account being hacked, out of a population of one such accounts? Now consider: what is the probability that one of seven accounts with global administrative privileges could be hacked? Having lots of accounts with global administrative privileges is riskier than having fewer such accounts.
- Human Nature. We often ask customers to set up an account for us on their network with global administrative privileges. Setting up the account for us, or other consultants, is not the issue. Forgetting to suspend these accounts is the issue. What is worse, a customer is likely to forget that they set such an administrative account up. So, they are not thinking about whether that account is active beyond the end of a consulting assignment.
Comingling User and Administrative Accounts
Online services companies have paid a huge favor to hackers. They have standardized on use of your email address as your username. Remember that, without MFA, hackers need two bits of information about your account.
- Your username.
- Your password.
Hackers know your username. They just need to guess your password (or convince you to give it to them.)
If your “regular” account is hacked, the baddies can run amok in your network. That is bad. What also is bad is they can send email to everyone else in the organization. Email that is from an internal sender, so is less likely to arouse suspicion. Email that can contain malware or ransomware, spreading the pain.
Using Generic Accounts
Generic administrative accounts are a problem for a different reason. They are handy for setting up online service subscriptions. If I set up a service subscription with my own email address, what happens when I leave the organization? Using a generic administrative account makes it easier to standardize across online subscriptions.
The problem with a generic administrative account is that it cannot be completely audited. You see unusual behavior in an audit log and trace it back to an admin@ account. You know the responsible account. However, you do not know which person (of the potentially many possible) actually is responsible?
Time for Some Answers
For all the reasons I have described above, here is what we recommend you do for administrative accounts.
First, create an account for yourself, one that has access to email and whatever other applications you need. Do not assign any administrative privileges to this account.
Next, create an account that you will use for administrative tasks. Assign whatever administrative role is appropriate. However, remove email access for this account.
With this setup, a hacker might gain access to your “regular” account but cannot go any further into the network. If the hacker gains access to your administrative account, they can cause damage, but they cannot spread that damage to other accounts.
Finally, set up generic administrative accounts as shared mailboxes or distribution lists or groups. This arrangement will be convenient for handling online subscriptions, as you can add or remove people to the mailbox, list, or group. You will need to share the password for each online subscription. You can do this with a password manager. Or, better yet, set up the online subscriptions to be accessed via single sign-on.
Follow these recommendations and you will set up a more secure network.