Admin access

Admin Access for everybody!

That a problem?

How much thought goes into IT when a business is starting out? Most organizations begin with a single person or a group of like-minded people. That group then expands as business needs evolve and become clear.

Whether or not the organization has IT staff, speed usually wins – it’s rare to give computer use more thought than as a tool for getting work done, storing data, and driving sales.

Reasonable, for sure. But there is one issue that has been wrestled with in computing circles since just about its inception: how much access to give users. Too much, and the system becomes vulnerable in ways that aren’t obvious until something goes wrong. Too little, and access controls start to feel like they’re getting in the way of working.

Admin

If you’re building a business and working with a few colleagues, sometimes the practice has been to grant everyone the same level of access – so the second person can reach the files and applications used by the first. In doing this, there’s no real thought to potential down-the-road problems; people just need to be up and running. Even where an IT department is involved, the priority is getting people working, not access design in an organization that’s barely begun. And so everyone ends up with admin rights: the ability to install software, change system settings, and modify configurations across the network.

And for years, nothing goes wrong. And for many organizations, nothing going wrong means, ‘why change?’

But every login multiplies the chance of credential theft – someone guessing, or buying on the dark web, a username and password. And if everyone has admin privileges, when one of those sets of credentials gets compromised, the criminal is in fully: customer data, trade secrets, banking logins, whatever’s stored on there.

When something goes wrong

An accounting practice with eight employees (anonymized), all had admin access, set up that way in the early months of the business and never revisited. One employee got an email appearing to be from a vendor with an invoice. They opened the attachment. Because the employee had admin rights, the malware in that attachment silently installed. The criminal was now inside the network with the same access as the employee.

Within hours, the criminal had moved through the firm’s systems, accessed client financial records and found banking credentials stored in a browser. By the time anyone noticed something was wrong, the exposure was significant – and the recovery was slow, expensive and embarrassing.

One employee made one common mistake. It was the admin access that removed friction that might have slowed things down.

But it didn’t have to be that bad

If that employee had only the access needed for their job – client files relevant to their work, the billing software, shared drives – the criminal’s entry point would have been far more limited. The intrusion would still have been serious. But the effects would have been smaller.

This is the principle behind least-privilege access: each user gets what they need to do their work and nothing more. In practice it means the accounts payable employee can access billing software and the relevant shared folders, but not the server configuration. The project manager can access client files, but not the ability to install software company-wide.

What about criminal movement within the network?

Limiting access is not everything. A determined attacker who gains access to one account can attempt to move to others – using one foothold to reach systems the compromised account couldn’t directly reach. This is possible regardless of the user’s account privilege levels. But admin access makes it a lot easier. Limiting privileges makes an intrusion harder to expand, slower to execute and more likely to be detected before it becomes a crisis.

Every additional barrier a criminal has to cross takes criminal time and resources. And these increase the chance of detection, so the intrusion would still have been serious, but the damage would have had a much better chance of being contained.

The fix is smaller than you think

A permissions review – an examination of who has what access and why – is a straightforward part of a managed IT relationship. At Bryley it’s a fundamental part of how we manage an IT environment.

Most employees don’t need, or even use, the admin rights they have. Access can be right-sized, without removing the functionality people rely on.

Most early technology decisions are practical and done in good faith. The organization that made them and the one that exists today are not the same: what made sense then may no longer serve the business now.

Help is here

Bryley’s managed IT services include a review of your current access environment. If you’ve never looked closely at your permissions, that’s a sensible place to start the conversation. To speak to Bryley’s Roy Pacitto please complete the form, below. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.