
	Home > Ask the Security Experts > Security Management Questions & Answers > Can companies benefit by providing root access?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Can companies benefit by providing root access?

EXPERT RESPONSE FROM: Mike Rothman

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 14 February 2007
In our company, we have ongoing battles over providing root access to our servers. We have hundreds of applications; some require root access for application administration, or to push applications to the desktop. We have server admins that have root access, and desktop support persons that don't, even though the desktop support team administers the desktop management tools. Where and how should we draw the line between a "server administrator" and an "application administrator?"

EXPERT RESPONSE
Root access is a very dangerous thing, so ultimately you want to restrict it wherever possible. Users with root access can install software or malicious programs. They can reconfigure existing applications and change permissions, possibly inviting all of their friends to the party as well. Root access is the Holy Grail for hackers, since such privileges give them free reign over a device.

Is root access ever OK? Sure, as administrators do have legitimate reasons for such permissions; they may have to configure a server to run applications, for example. But there should be some type of logging or other controls that track what the administrators are doing, if only to provide checks and balances.

So a reasonable approach is to give root access only to those administrators that need to manage a specific application.

What you don't want to do, however, is add a huge amount of administrative overhead to your environment. You may want to look at a tool that manages these user privileges in a granular manner. Cyber-Ark and Cloakware are vendors that provide products for such a situation.

More information:

Proper management of root access privileges can limit an enterprise's insider risk. Learn what other controls can prevent the threats from within.

Use role-based access control (RBAC) to authorize your organization's users.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	What's your advice for getting other business units to contribute to crafting an effective information security policy?
	How can organizations secure implanted microchips and RFID tags?
	Any recommendations for recruiting information security pros?
	I am concerned that a former employee will utilize corporate information in a malicious way.
	Is it necessary to grant a full administrative privileges to a security administrator?
	Recently I found my computer's serial number had been reported stolen. Will I face legal repercussions?
	What are the possible benefits of microchip implants and RFID tags for employees?
	Is it against HIPAA regulations to permanently store sensitive information?
	Two-tier distributed systems vs. three-tier distributed systems
	How to prevent software piracy

Creating and Managing Information Security Policies

What's your advice for getting other business units to contribute to crafting an effective information security policy?

Security Awareness Training Essential Part of Infosec Program

Is it necessary to grant a full administrative privileges to a security administrator?

How to lock down instant messaging in the enterprise

Worst practices: Bad security incidents to avoid

Thompson calls for marriage of data and security management

Companies Collecting Too Much Customer Data Increase Exposure

Interview: Arizona CISO David VanderNaalt

Incident response success in five quick steps

Social networking Web site threats manageable with good enterprise policy

Creating and Managing Information Security Policies Research

Directory Services

Directory services and beyond: The future of LDAP

Enterprise role management: Trends and best practices

Identity Management Suites Enable Integration, Interoperability

What should an internal support model for identity management look like?

Security360: Identity management market

Information protection: Using Windows Rights Management Services to secure data

IBM releases simplified Tivoli Identity Manager

Is it secure to use .NET membership class for user authentication?

Sun acquiring Vaau for identity management

What is the best way to securely change the local administrator password in a domain?

Directory Services Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy