• United States




RSA 2017 notes: privileged accounts and blunders

Feb 16, 20174 mins

Privileged accounts are a necessary evil for a lot of organizations. These accounts allow for users to be able to do work that, in some cases, lead to unfortunate results if misused. But, how many organizations do a good job at tracking and controlling these accounts?

One thing that presented itself during the conversations this week has been around the subject of privilege access control, specifically dealing with privileged accounts. I had to check the calendar at this point to make sure I had not inadvertently slipped into a vortex that threw me back to the late 90s. Am I being inordinately flippant? Only partially to be fair.

Over the years I have had occasion to manage large numbers of servers. I remember all too many times sitting cross legged on the floor in the bone chilling cold of the data center at my old job. I would sit there thinking fondly of the cup of coffee I had to abandon at the mantrap before walking out on to the floor. It was either sitting in the data center or being huddled shoulder to shoulder with co-workers in a room where a Cybex was hooked up for remote access.

Nuts to this I thought. The Windows servers were running remote desktop protocol and there was not sufficient controls separating the production network and the office network.

Long story. I still wake up screaming.

I walked back to my office and connected to my server and waited to see if anyone on the operations desk would notice. I stared blankly at the clock on the wall. Five minutes passed. Twenty minutes passed. Once I almost reached an hour I went about my business getting my systems configured. This continued on for months. I still entered tickets into the system for the work I was doing. I recorded everything I did…with one small exception. On all of the systems I added an account. This account I titled, for the sake of this discussion, “Backup”. This account had privileged access. Administrator access to be succinct.

Now, there was no malice involved in this addition. I put it there in the off chance that I somehow managed to lock myself out of a system. In retrospect I would have kicked my younger self in the seat of the pants but, that damage was already done. For whatever reason, I kept that access control to myself and, thankfully, never had to use it. The uncomfortable thought is whether or not that access still remains in place to this day.

While that was innocent enough, it could have gone badly as that was a local account on every server that had the same password. Flash forward to another former gig and enter stage right, the penetration testing company. I had engaged with a firm to test our security posture. One of the findings that they provided was that there was an administrator account on every server in the enterprise that had the same password. This was the worst kept secret in the company and many people would make system changes that could, and did, have no documented record or ability to track it back to the originator.

This finding was presented to the management and was never fixed. The IT manager at the time said that it was not a vulnerability despite the fact that the penetration testing company gained access to the entire network with that same password.

Privileged access control has been a problem for decades now and it really should have to be. As I was walking over to the Moscone Center today a homeless man walked up to a large group of us waiting to cross Mission Street and screamed, “You are part of the problem!” I ruminated on that as I walked towards the press room and I realized that he’s not wrong.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author