Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How can root and administrator privileges of different systems be delegated on one account?
Ask The Security Expert: Questions & Answers
EMAIL THIS

How can root and administrator privileges of different systems be delegated on one account?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 30 October 2007
Our organization makes use of a "superuser" account ("root" in Unix and "administrator" in Windows), but I know such accounts are often one of the most exploited and costly methods of gaining unauthorized system access, since no file, device or command is off limits. Is there a way to maintain these accounts while mitigating the risks?

>
Both Unix and Windows have a built-in tool that allows users, on a restricted basis, to conduct only specific tasks as an administrator. In Unix, this tool is called "sudo," and in Windows it's called "runas."

On a Unix systems, for example, an ordinary user -- without administrative privileges -- can use "sudo" to run a utility program that can only be run normally as administrator. The user is only allowed to run that single program as an administrator without being granted higher access for anything else. The same is true for "runas" in Windows. In Unix, the user types "sudo" at the command prompt and is asked for the regular password to their account. In Windows, the user right clicks on the application and chooses "runas" or types "runas" at the command prompt like Unix.

The elevated access is only allowed for running that particular application. Once the user logs out of that application, he/she loses their elevated privileges.

There is a key difference, however, between sudo and runas. Sudo can be finely tuned through the /etc/sudoers property file. Runas can't be customized at the same granular level. The danger with runas is that a malicious user could get access to any application on the system and have complete control of the machine.

Sudo, on the other hand, can be finely tuned to only allow specific users to do certain tasks and, even then, with restrictions. Every user that wants to use sudo has to be added to the sudoers property file and then have the specific privileges spelled out next to the entry with their name.

But there are two caveats with sudo, as well. The sudoers property file should be edited with a tool called visudo, which checks syntax and prevents different administrators from overwriting each other's changes to the file. The other caution is to make sure no user in sudoers is given unlimited administrative access to all applications. That would be the same as giving them full administrative rights and would open the candy store, if the user had malicious intent.

Symark Software offers a commercial product, PowerBroker, to securely delegate root privileges.

For more information:

  • In this expert Q&A, learn how to prevent administrator access to certain documents within a domain group.
  • Application security expert Michael Cobb discusses which tools can keep personally identifiable information (PII) out of access logs.


    • BROWSE BY TAG
    Identity Management and Access Control,   Enterprise User Provisioning Tools,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    Enterprise User Provisioning Tools
    Content-aware IAM: Uniting user access and data rights
    Is Identity Management as a Service (IDaaS) a good idea?
    Top tactics for endpoint security
    How to edit group policy objects to give a user local admin rights
    Privileged account management critical to data security
    Making the case for enterprise IAM centralized access control
    Lesson 3: How to implement secure access
    Best practices for a privileged access policy to secure user accounts
    Risk management must include physical-logical security convergence
    PCI compliance requirement 7: Restrict access

    Expert Archive: Identity Management and Access Control
    Enterprise password management policy: Finding the balance
    How to conduct a periodic user access review for account privileges
    Options for a mechanical door security system on a server room door
    Comparing access control mechanisms and identity management techniques
    User provisioning and SSO for PeopleSoft- and Unix-based products
    Could someone place a rootkit on an internal network through a router?
    Should a new user have to confirm an email address to gain access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token and a vendor?
    Using batch files for temporary user access to the local admin group

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    AAA server  (SearchSecurity.com)
    authentication, authorization, and accounting  (SearchSecurity.com)
    federated identity management  (SearchSecurity.com)
    logon  (SearchSecurity.com)
    password synchronization  (SearchSecurity.com)
    RADIUS  (SearchSecurity.com)
    role mining  (SearchSecurity.com)
    user profile  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts