The moment an organization uses privileged user accounts on any device or service, their device or networks are at risk to potentially get hacked. Anyone who can get into the system or service will take advantage of this misconfiguration and can have full control over this machine.
For example, a server is hosting a web application and that web application has an SQL Injecton vulnerability. Unfortunately, the web developer used a SQL server ‘admin/root’ account for web application. In this instance, the attacker can read and write files on the server using privileged account access, gaining control of the machine just by using SQL Injection.
Another case of a misconfigured web server is a newly configured windows machine having WAMP server running on it. Now, a hacker discovers the vulnerability, which allows him to upload a web shell on the server. Here the attacker will take over the whole machine by adding new a windows administrator account just by executing system command using web shell because, by default the WAMP server user does not have restrictions to execute privileged system commands.
These were just common examples from a list of misconfigurations of privileged accounts.
The following are steps to avoid the misuse of privileged user accounts:
1. Admin account should be use for administrative purposes only
Administrative account should not use for internet surfing, email reading, document composing or any such activities which are common. Also never configure services to run with administrator privileges (unless it is required to run with admin privileges).
2. Strong hashing and proper permission configurations
Admin password must be complex, hashed with a strong hashing algorithm and the file password hash must have read only permission to the super admin account. Weak strength passwords hashed with old or weak hashing algorithms are not recommended.
3. Multi-factor authentication process
If possible, use 2-factor authentication process for admin account authentication. Especially for highly sensitive activity, admin permission must be granted only after passing 2-factor authentication.
4. Password change policy implementation
In order to maintain system security, the system should prompt users to change their passwords after every 2-3 months and password reuse should be disallowed.
5. Log generation and alerts on sensitive events
System should generate logs for such events which are sensitive or critical. Alerts for adding,deletion or change in user account must notify the administrator.
6. Default password and account must be removed
Before deploying any machine into the production environment, make sure default accounts are not present anymore or the password must be change to strong and custom one. Attackers try for default accounts and passwords first instead of other attacks.
7. Restrict admin account to specific Network/IP
If possible, restrict admin log from specific network or IP so that attacker can’t access it. If the attacker manages to get admin credentials and access due to any misconfiguration, the attacker won’t be able to login to admin account.
These are common things which an admin should consider to reduce the risk of compromising machine due to privilege escalation in a case of misconfigured services and accounts. It’s always good to use the least privileged accounts to run services and keep checking for the things which run on privileged accounts.