Admin (Administrative) accounts are user accounts with elevated privileges on a computer system or network, giving the account owner (or administrator) the power to install software, change settings, and access sensitive data. Administrators have access to capabilities that regular users lack, making admin accounts prime targets for cyber-security attacks like malware and hacking.
Admin accounts are like a landlord's master keys for the apartment building they manage. While individual tenants only have access to their own apartment, the landlord's master keys can access every apartment, along with other important rooms within the building. If these keys fell into the wrong hands, every apartment unit in the building would be at risk.
Similarly, to keep systems safe, it is important to follow some basic rules when utilizing admin accounts:
1. Use as few admin accounts as possible
2. Delete admin accounts when no longer needed
3. Limit use of admin accounts to tasks that require admin privilege
4. Disable admin accounts when not in use
5. Use Privileged Access Management (PAM) tools like CyberArk
A responsible landlord would not hand out master keys to each tenant within an apartment building. Instead, they would likely only give the master key to those who have a specific need for it--for example, maintenance workers. Similarly, it is important to limit admin access to people who absolutely need it to do their job. The fewer people who have admin accounts, the fewer chances for hackers to break in.
Old accounts are easy targets for cyber attackers if they are not shut down, especially if those accounts are forgotten. When someone changes roles or leaves the company, their admin access should be removed right away.
Admin accounts should only be used for tasks that require admin privileges, such as managing user accounts and configuring network settings. Do not use admin accounts for everyday tasks like checking email or browsing the Internet. This increases the risk of accidentally exposing the admin accounts to cyber criminals, essentially placing the "master keys" in the wrong hands.
Admin accounts should not always be active. Instead, keep them disabled until they are actually needed, and then turn them off again when the necessary tasks are complete. This limits the time hackers have to try and break in.
Privileged Access Management (PAM) tools help control who can use admin accounts and when. CyberArk is one such tool that has been approved at Dartmouth for this purpose. It offers the following key features to help ensure security and accountability for admin accounts:
- Credential Vaulting: Securely store and manage privileged credentials in an encrypted vault to reduce the risk of credential theft.
- Session Management: Monitor, control, and record privileged sessions to ensure accountability and security.
- Automated Credential Rotation: Regularly update privileged account passwords to meet security policies and prevent misuse.
- Access Control Policies: Implement granular access controls to ensure that privileged accounts are only used by authorized personnel for approved purposes.
- Audit and Compliance Reporting: Generate detailed reports on privileged account usage to meet compliance requirements and identify potential risks.