Can companies benefit by providing root access?
In our company, we have ongoing battles over providing root access to our servers. We have hundreds of applications; some require root access for application administration, or to push applications to the desktop. We have server admins that have root access, and desktop support persons that don't, even though the desktop support team administers the desktop management tools. Where and how should we draw the line between a "server administrator" and an "application administrator?"
Root access is a very dangerous thing, so ultimately you want to restrict it wherever possible. Users with root access can install software or malicious programs. They can reconfigure existing applications and change permissions, possibly inviting all of their friends to the party as well. Root access is the Holy Grail for hackers, since such privileges give them free reign over a device.
Is root access ever OK? Sure, as administrators do have legitimate reasons for such permissions; they may have to configure a server to run applications, for example. But there should be some type of logging or other controls that track what the administrators are doing, if only to provide checks and balances.
So a reasonable approach is to give root access only to those administrators that need to manage a specific application.
What you don't want to do, however, is add a huge amount of administrative overhead to your environment. You may want to look at a tool that manages these user privileges in a granular manner. Cyber-Ark and Cloakware are vendors that provide products for such a situation.
Proper management of root access privileges can limit an enterprise's insider risk. Learn what other controls can prevent the threats from within.
Use role-based access control (RBAC) to authorize your organization's users.
This was first published in April 2007