Problem solve Get help with specific problems with your technologies, process and projects.

Can companies benefit by providing root access?

In this SearchSecurity.com Q&A, security management expert Mike Rothman reveals that root access, although dangerous, can be helpful when regulated.

In our company, we have ongoing battles over providing root access to our servers. We have hundreds of applications; some require root access for application administration, or to push applications to the desktop. We have server admins that have root access, and desktop support persons that don't, even though the desktop support team administers the desktop management tools. Where and how should we draw the line between a "server administrator" and an "application administrator?"
Root access is a very dangerous thing, so ultimately you want to restrict it wherever possible. Users with root access can install software or malicious programs. They can reconfigure existing applications and change permissions, possibly inviting all of their friends to the party as well. Root access is the Holy Grail for hackers, since such privileges give them free reign over a device.

Is root access ever OK? Sure, as administrators do have legitimate reasons for such permissions; they may have to configure a server to run applications, for example. But there should be some type of logging or other controls that track what the administrators are doing, if only to provide checks and balances.

So a reasonable approach is to give root access only to those administrators that need to manage a specific application.

What you don't want to do, however, is add a huge amount of administrative overhead to your environment. You may want to look at a tool that manages these user privileges in a granular manner. Cyber-Ark and Cloakware are vendors that provide products for such a situation.

More information:

  • Proper management of root access privileges can limit an enterprise's insider risk. Learn what other controls can prevent the threats from within.
  • Use role-based access control (RBAC) to authorize your organization's users.
  • This was last published in April 2007

    Dig Deeper on Active Directory security

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.