How do attackers exploit the lack of this control?
Two very common attacker techniques take advantage of uncontrolled administrative privileges. In the first, a workstation user is fooled into opening a malicious email attachment, downloading and opening a file from a malicious web site, or simply surfing to a website hosting attacker content that can automatically exploit browsers. The file or exploit contains executable code that runs on the victim’s machine. If the victim’s computer is running with administrative privileges, the attacker can take over the victim’s machine completely and install keystroke loggers, sniffers, and remote control software to find administrator passwords and other sensitive data. The second common technique used by attackers is elevation of privileges after using a vulnerable service or a guessed password to gain access to a server. If administrative privileges are loosely and widely distributed, the attacker has a much easier time gaining full control of the servers, because there are many more accounts that can act as avenues for the attacker to compromise administrative privileges. One of the most common of these attacks involves the domain administration privileges in large Windows environments, giving the attacker significant control over large numbers of machines and access to the data they contain.
How can this control be implemented, automated, and its effectiveness measured?
QW: Inventory all administrative passwords and validate (through automation) that each person with administrative privileges is authorized by a senior executive and that his/her administrative password has at least 12 semi-random characters, consistent with the Federal Desktop Core Configuration (FDCC) standard. In testing this control, also ensure that no administrator username/passwords (domain or local) are reused among systems and applications. In addition to the 12-or-more character password, all administrative access should utilize two-factor authentication.
QW: Passwords for all systems should be stored in a hashed or encrypted format. Furthermore, files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with superuser privileges.
QW: Ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet.