Network Admin Accounts
If you’re a network admin, think of the power and access your network admin account has.
It used to be fairly common for a Network Administrator or IT Technician to set their user account up with full Domain Admin rights over their Active Directory domain. They would then use this account for their day-to-day emails and for basic fault fixing on countless computers each week.
Think about that for a moment; access to all files, all personal details, DNS, DHCP, the wireless networks… everything. They might have a hybrid Microsoft 365 environment too, with the same password used to access SharePoint, OneDrive, Exchange.
What if that account became compromised? It really doesn’t bear thinking about.
This practice has thankfully died out over the last decade or so, but we still come across it.
If you’re an admin and you’ve got your network and servers locked down as tightly as possible, you’ve got your firewall in place and you’ve got your user’s access restricted perfectly, why jeopardise it all by giving yourself full admin rights and becoming an ‘Insider Threat‘ yourself?
IBM discusses ‘Insider Threats’ in their article here: https://www.ibm.com/topics/insider-threats
All it takes is for someone to get hold of your password as you log in to a computer on-site or whilst you’re using public wifi somewhere. You might even come across an unscrupulous employee/student/visitor who decides to set up a keylogger and you’ve lost everything.
You are the admin, you have the power to ensure you don’t become a threat to your own network. It’s only laziness or lack of understanding which would allow it to happen.
We’ve worked in schools before where students INSIDE your network are a far greater threat than anyone on the outside. We’ve seen employees have their passwords stolen and ‘curiosity’ leading IT-savvy students to try their luck.
In our opinion it is far safer if you keep a domain admin account safely locked away somewhere, just in case you ever fall off the face of the earth. Your own account should only have the access it needs to get your day-job done.
You may end up using one or two admin accounts with fewer privileges, with access to various parts of the network, but none of them would have full access to everything. If one of them becomes compromised, at least you’ve only put a small part of the network at risk.
Think of it like a series of bubbles, one containing users’ files, one containing emails, one containing your servers, etc… if a bubble is going to get popped, you’re better off losing one of many smaller bubbles than one great big one containing everything.
There are various groups in Active Directory you can add yourself to to allow access to certain things, without going the whole hog and giving yourself full Domain Admin rights. Microsoft goes into great detail about them all here.
You should also delegate your rights over the computers and user accounts you need to be able to manage within Active Directory. Do you only need to manager certain users and groups? Do you only create computer accounts in a particular OU?
You can read more about delegating rights here.
Top tip: You can also use this delegation capability to allow key members of staff to reset user’s passwords for you, cutting down on your own helpdesk calls!
Having one user account with full access to everything introduces a single point of failure to your network. As all admins know, we hate a single point of failure!
Do a security check on your user accounts as soon as possible and remove any threat you pose.