One of the primary tools both hackers and ransomware leverage is the capacity to execute actions demanding admin privileges. With this access, they gain complete control over the system, enabling them to execute tasks such as disabling antivirus software or downgrading security settings. This facilitates their movement within the system. If they infiltrate a system with limited privileges, they’ll seek methods for privilege escalation to elevate their access. This could involve exploiting weak admin passwords or employing more sophisticated techniques.
In my experience, about 80 per cent of the new devices I encounter have users designated as local administrators. This grants them significant control over the machine, making them prime targets if the device is compromised. As a system administrator, I’ve noticed that many IT professionals struggle to relinquish this privilege, often believing they can outsmart any potential attacks and avoid clicking on suspicious links. However, the reality is that malware is far more sophisticated than most users, capable of swiftly identifying and exploiting multiple vulnerabilities within seconds.
In Windows Active Directory domains, it’s common for the IT team members to have membership in the Domain Admins group or possess local admin access, granting them extensive control over every device within the network. This scenario sets the stage for lateral movement: when an Administrator account is compromised, both threat actors and ransomware can freely navigate the network, infecting machine after machine, encrypting all files, and holding them for ransom.
To combat the security risks associated with privileged access, we can follow the guidelines outlined in the Australian Cyber Security’s Essential Eight, specifically the principle of ‘restrict administrative access’. This involves ensuring that all users, including IT staff, only have local user rights on their devices. This means they cannot perform any type of administrative tasks. Instead, a separate admin account with a strong password should be used exclusively by IT staff for administrative activities such as software installation and maintenance tasks.
By implementing this approach, we can significantly hinder and prevent threat actors, malware and ransomware from spreading and causing widespread infection. While it’s important to acknowledge that no security measure is foolproof, creating barriers and obstacles can greatly enhance network and client protection.
Even at home, adopting a similar strategy can bolster security. Setting family members, including oneself, to local user status and safeguarding the admin password can provide control over software installations and protect against potential risks.
To all administrators and IT professionals, I urge you to embrace this approach. By relinquishing administrative privileges and adopting a user-centric mindset, you can enhance security and safeguard both your networks and yourselves.
Thank you for taking the time to explore this technical overview. I trust you found it insightful. Should you have any questions or comments, please don’t hesitate to reach out via email at askatech@mmg.com.au. Your feedback is always appreciated.