A little corner of the Empire on the web.

17 April, 2003

Thoughts on default and recommended security modes and what it reveals about the people expected to use the systems.

When you have a large network, with a large number of servers, and a number of network/server administrators there essentially two different ways to set up the supervisor/administrative rights and which route you go down reveals a lot about your overall philosophy.

Method 1: Restrict each person's network rights to exactly what they need for day-to-day work and precisely no more. If they do need to do anything else they can use a specific administrative account (or supervisor account, or superuser depending what world you inhabit) to carry out their business.

Method 2: Give all of your administrator's network accounts full administrative privileges to each resource that they might need (or even everything depending on the size of the network, and the person's role).

There are definite advantages and disadvantages to each approach.

Method one means that your admin's own network accounts only have limited rights, this means that they are a less worrying vector for viruses, they're less likely to cause catastrophic problems by accidentally clicking the wrong thing and you can control who needs the passwords for various resources.

The downside is that you can't control who knows the passwords, someone extra will always need it for some reason, or will notice it whilst it is used for some othert reason and you can only control it by regularly changing your admin passwords, and keeping a (secure) database of them all.

Method two means that you can audit who did what, every admin level action on the network will have an actual person's own ID against it, it means that work for admins is less of a hassle: less passwords, less logging in and out all over the place with 30 different passwords, less time spent performing quick and easy tasks.

The downside is that if any of your admins happen to become infected by a virus, or are simply having a bad day and making an awful lot of mistakes, then they can wreak havoc on an unparalleled scale.

From what I've seen experienced, method one is the method that pretty much every network admin training course reccomends, and most Linux/Unix networks actually carry out ("su" is your friend) whereas despite the official guidelines most Microsoft based shops tend to either be configured as method two (or a mixture of the two).