Powered By Blogger

Tuesday, January 19, 2010

The most dangerous Microsoft account

Hi all,

Another topic that really irks me and should irk you is the most dangerous account on a Microsoft system, yet so many admins completely disregard the impact of it...Can you guess what it is?

User accounts? No.
Power Users? No.
Administrator Accounts? Kind of, because they are often used as a regular account, but that's not the topic of this post.

Give up? It's the system account.

In the Microsoft world, a system account is usually used by services (IIS, SQL, etc) and it really doesn't need to be.

Going back to the last Knowledge Note, I discussed that Knowledge was a much more powerful ally in the security fight than a particular platform in use. This is never more true than with the system account.

The system account is the most powerful account on a Microsoft system, even more powerful than the administrator account. So, I ask you, why do you allow web visitors to access data on a backend server as the most powerful account possible? This is, in a nutshell what happens when you run SQL server as the local system account. If the SQL server is ever compromised, the attacker can then execute commands on the SQL server as the local system account.

Running core services (because only core services that are required to support the business are run on the server...right?) with more rights than absolutely required is just asking for trouble. It's called the principle of least privilege...Something we should all strive for on all systems in our enterprise.

Securing your enterprise is hard enough. Accidentally giving an attacker a staging point in your network as either an administrator or as "SYSTEM" just makes your job even harder.

There is no magic solution or magic technology that will cover up a poorly designed system. As a first step, check a sample of external facing (and systems that connect to external facing) systems services for services running as an administrator or system account...Hopefully you won't be in for a surprise when you discover that the principle of least privilege isn't enforced on your system services...It's often overlooked.

Thanks for reading! Please feel free to let me know your thoughts in the comment section. Also, please take a second to vote in the poll to the right.

Graham Thompson, CISSP
http://www.miw.ca
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)