Ask the Expert

Can companies benefit by providing root access?

In our company, we have ongoing battles over providing root access to our servers. We have hundreds of applications; some require root access for application administration, or to push applications to the desktop. We have server admins that have root access, and desktop support persons that don't, even though the desktop support team administers the desktop management tools. Where and how should we draw the line between a "server administrator" and an "application administrator?"

    Requires Free Membership to View

Root access is a very dangerous thing, so ultimately you want to restrict it wherever possible. Users with root access can install software or malicious programs. They can reconfigure existing applications and change permissions, possibly inviting all of their friends to the party as well. Root access is the Holy Grail for hackers, since such privileges give them free reign over a device.

Is root access ever OK? Sure, as administrators do have legitimate reasons for such permissions; they may have to configure a server to run applications, for example. But there should be some type of logging or other controls that track what the administrators are doing, if only to provide checks and balances.

So a reasonable approach is to give root access only to those administrators that need to manage a specific application.

What you don't want to do, however, is add a huge amount of administrative overhead to your environment. You may want to look at a tool that manages these user privileges in a granular manner. Cyber-Ark and Cloakware are vendors that provide products for such a situation.

More information:

  • Proper management of root access privileges can limit an enterprise's insider risk. Learn what other controls can prevent the threats from within.
  • Use role-based access control (RBAC) to authorize your organization's users.
  • This was first published in April 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: