User permissions aren’t normally something that we think goes hand-in-hand with cybersecurity. Partially because it isn’t quite as exciting as talking about the newest ransomware attack, but also due to simple confusion.
So, to assist you to understand how it can affect your cybersecurity, we are delving into the subject of user permissions. What are standard and admin users? What are the differences between them? And the way they are relevant to Cyber Essentials certification?
What is a user?
A user account is an identity created for someone in a computer or computing network. As you join up for a web groceries account, that is creating a user. Likewise, once you first purchased the device you are reading this from you likely set yourself up as a user.
But user accounts do not need to be created for real, living human beings. It is also possible to make accounts for machines. As an example, service accounts for running programs, system accounts for storing system files and processes, and admin accounts for system administration.
What is an admin user?
Administrator accounts are created to run tasks that need special permissions. You wouldn’t want just anyone in your organization to have the permissions to install software or access certain confidential files, so putting in place admin users allows you to regulate who can do what.
These administrator accounts should be regularly audited, including password changes and regular confirmation of the proper people’s access.
What’s the difference between admin accounts and user accounts?
Simply put, admin accounts are the type of user with the most authority. They have the ability to alter and have access to just about anything on a device. For context, consider the guy or girl in IT who you would like to ask to perform tasks like installing new software. Every device or system will have a minimum of at least one admin user somewhere.
Standard user accounts are far more limited. Just how limited often depends on the type of OS you employ. But, as a rule of thumb, user accounts cannot typically install new software or access sensitive files. Usually, they will access the files they require for their day-to-day work but are prohibited from making serious or permanent changes to their device.
It is also important to point out that standard accounts are much easier to manage than admin users. With user controls, administrators can place far more severe restrictions on accounts – everything from blocking access to certain applications and websites to setting a daily cut-off time.
Although employing a standard user account can appear limiting, it does provide security benefits that will protect you in the event of a breach.
Why are standard accounts safer than admin accounts?
At first glance, the selection between a user and an admin account may appear sort of a simple one. After all, who does not want the ability to alter anything they see fit?
However, admin accounts do include another security risk. Because of the permissions granted to admin users, if malware is installed on your system an attacker has the same abilities to do virtually anything they want to on the system. In short, the more permissions your account has, the more damage a cybercriminal can do if they get access to your system.
Conversely, standard accounts offer much less flexibility but greater security. Malware installed under a typical user account is much less likely to cause serious damage. The hacker would not be able to make any system-level changes or access files aside from ones the user has access to normally. So when it comes to the cybersecurity of your network, having a ‘lower level’ account will work in your favour.
Why is it important for administrators to own a regular user account?
While it is inevitable there’ll always be a necessity for an admin account in your business, it matters what those accounts are used for. Using an admin account for day-to-day activities like checking your email or browsing the net dramatically increases your chances of being breached.
When penetration testers are trying to compromise a system, they are looking to “gain admin.” And also this same principle applies to cybercriminals who also look to gain administrator rights to your system or, better still, your network.
Allowing a systems administrator – especially one with domain administrator privileges – to access the net via their admin account presents a straightforward target for hackers using phishing or impersonation attacks. To counter, consider giving your admin users their own safer user accounts for his or her day-to-day duties.
How do user permissions relate to Cyber Essentials?
User accounts are covered within the Cyber Essentials questionnaire and there are two sections that you must answer.
The questions during this section accommodate how user accounts are created, who approves the creation, and also the processes you have got in situ for when people leave the organisation or switch roles. They apply to any servers, laptops, tablets or mobile phones employed in your business.
Cyber Essentials dictates that the best practice for user accounts are:
It is important to only give users access to any or all the resources and data necessary for his or her roles, and no more. All users need to have to have unique accounts and will not be carrying out day-to-day tasks such as invoicing or dealing with email whilst logged on as a user with administrator privileges which permit significant changes to the way your computer systems work.
The questions during this part of the assessment tackle your processes for selecting and putting in place admin users and the way they regularly access privileged accounts is audited. Once again, this is applicable to any or all servers and devices utilized in your organization.
How should permissions be set up for users in your business?
Although every organization has different requirements, there are some best practices that are recommended to follow.
1. For subject matter experts (SMEs), it is recommended that no more than two users in your business have access to domain admin accounts for whatever software package you utilize – as an example, Microsoft Office 365 or Google Suite.
2. You ought to regularly audit these accounts and who has access to them. Within the rigor of daily business, it’s very easy for user permissions to slide and admin accounts to be employed by unauthorized staff.
3. Put in situ policies and, if necessary, training to make sure that administrators do not access the net or their emails using admin accounts.
4. Use 2FA or two-factor authentication or MFA multi-factor authentication on both admin and standard user accounts. This adds an additional layer of security for cybercriminals to breach in an attempted attack.
What about the staff working from home (remotely)?
Things do become more awkward in our current working environment, with many businesses working from home. In many cases, staff working remotely will need an admin account for their device only but not the organization network. It is more practical for workers to be able to install the software or make changes to their machines, instead of asking your IT team to do this remotely.
However, most of the recommendations above still apply. Your employees must still be educated on the importance of using standard accounts for daily work and using MFA for all account types.
Setting up admin and user accounts safely should be a simple change, but one which will instantly improve the security of your network. Hopefully, this blog post will help you understand how account permissions work and a few best practices for keeping your organization safe. If you have any questions, don’t hesitate to get in touch with our team as they are always on hand to help.
If you are looking to improve your cybersecurity but unsure where to start? Start 2022 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals technical controls of cybersecurity.
There are many best practices in the cyber security market that can improve a business’s digital safety and reduce the chances of a potentially devastating cyber-attack