The moment an organization use privileged user account to run any device or service on a device, they start risking their device/network to potentially get hacked. Anyone who get into the system/service, will take advantage of this misconfiguration to take over whole control of the machine.
For example, a server is hosting a web application and that web application has SQL Injecton vulnerability. Unfortunatily, web developer used SQL server ‘admin/root’ account for web application. So here attacker can read and write files on server using privileged account and this is how attacker can enter into machine just by using SQL Injection.
Another case of misconfigured web server is, lets suppose there is newly configured windows machine having WAMP server running in it. Now, a bad guy discovered such vulnerability using which he managed to upload web shell on server, here attacker will take over whole machine by adding new windows administrator account just by executing system command using web shell because bydefault WAMP server user is not having restrictions to execute privileged system commands.
These were just common examples from list of misconfiguration of privileged account.
Steps to avoid danger of misuse of privileged user account
1. Admin account should be use for administrator purpose only:-
Administrative account should not use for internet surffing, email reading, document composing purpose or such activity which are common. Also never configure services to run with administrator privileges (untill it is require to run service with admin privileges).
2. Strong hashing and proper permission configureation:-
Admin password must be complex, Hashed with strong hashing algorithm and file having password hash must have read permission only to super admin account.
Weak strenght password hashed with old or weak hashing algorithm is not recommended.
3. Multi-factor authentication process:-
If possible, use 2-factor auhtentication process for admin account authentication. Atleast for highly sensitive activity, admin permission must be granted after passing 2-factor authentication.
4. Password change policy implementation:-
User account password change policy must be configured in such manner, system should prompt user for password change after every 2-3 months and password reuse should not be allowed.
5. Log generation and alerts on sensitive events:-
System should generate logs for such events which are sensitive or criticle. Alert for adding/deletion/change in user account must be notify.
6. Default password and account must be removed:-
Before deplyoing machine in production environment, make sure default account are not present anymore or password must be change to strong and custom one. Attacker try for default account and password first instead of other attacks.
7. Restrict admin account to specific Network/IP:-
If possible, restrict admin log from specific network or IP so that attacker cant access it. In case, if attacker any how manage to get admin credential/access due to any misconfiguration, attacker wont be able to login to admin account.
So, this is just a common things which an admin should consider to reduce the risk area of compromising machine due to privilege escalation in case of mis use of misconfigured service/account. Its always good to use least privileged account to run services and keep checking for the things which comes/run with privileged account.
./init 0