User permissions aren’t normally something we associate with cybersecurity. In part because it isn’t quite as sexy as talking about the latest ransomware attack, but also because of simple confusion.
So, to help you understand how it can affect your cybersecurity, we’re delving into the world of user permissions. What are standard and admin users? What are the differences between them? And how are they relevant to Cyber Essentials certification?
What is a user?
A user account is an identity created for a person in a computer or computing system. When you sign up for an online groceries account, that’s creating a user. Likewise, when you first purchased the device your reading this from you likely set yourself up as a user.
But user accounts don’t have to be created for real, living breathing humans. It’s also possible to create accounts for machines. For example, service accounts for running programs, system accounts for storing system files and processes, and admin accounts for system administration.
What is an admin user?
Administrator accounts are created to carry out tasks that require special permissions. You wouldn’t want just anyone in your organisation to be able to install software or access certain confidential files, so setting up admin users allows you to control who can do what.
These administrator accounts should be regularly audited, including password changes and regular confirmation of the right people’s access.
What’s the difference between admin accounts and standard accounts?
Simply put, admin accounts are the most powerful type of user. They have the power to do just about anything on a device. For context, think about the guy or girl in IT who you need to ask to perform tasks like setting up new software. Every device or system will have at least one admin user somewhere.
Standard user accounts are much more limited. Just how limited often depends on the type of operating system you use. But, as a rule of thumb, standard accounts can’t typically install new software or access system-critical files. Usually, they can access the files they need for day-to-day work but are prohibited from making serious or permanent changes to their device.
It’s also important to note that standard accounts are much easier to control than admin users. With user controls, administrators can place much more severe restrictions on accounts – everything from blocking access to certain applications and websites to setting a daily time limit.
Although using a standard user account can appear limiting, it does provide security benefits that can protect you in the event of a breach.
Why are standard accounts more secure than admin accounts?
At first glance, the choice between a user and an admin account might seem like a simple one. After all, who doesn’t want the power to change anything they see fit?
However, admin accounts do come with an added security risk. Due to the permissions granted to admin users, if malware is installed on your system an attacker has the power to do virtually anything they want to. In essence, the more permissions your account has, the more damage a cybercriminal can do should they gain access.
On the other hand, standard accounts offer much less flexibility but greater security. Malware installed under a standard user account is less likely to do serious damage. The hacker won’t be able to make system-level changes or access files other than the user’s own. So when it comes to cybersecurity, having a ‘lower level’ account can work in your favour.
Why is it important for administrators to have a standard account?
While it’s inevitable there will always be a need for admin accounts in your business, it matters what those accounts are used for. Using an admin account for day-to-day activities like checking your email or browsing the internet dramatically increases the risk of being breached.
When penetration testers are attempting to compromise a system, they are looking to “gain admin.” And the same principle applies to cybercriminals who also look to gain admin rights to a system or, better still, a network.
Allowing a systems administrator – especially one with domain administrator privileges – to access the internet via their admin account presents an easy target for hackers using phishing or impersonation attacks. To counter, consider giving your admin users safer standard accounts for their day-to-day duties.
How do user permissions relate to Cyber Essentials?
User accounts are covered in the Cyber Essentials questionnaire and there are two sections you’ll need to answer.
The questions in this section deal with how user accounts are created, who approves the creation, and the processes you have in place for when people leave the organisation or switch roles. They apply to any servers, laptops, tablets or mobile phones used in your business.
Cyber Essentials describes best practice for user accounts as:
It is important to only give users access to all the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with email whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.
The questions in this part of the assessment tackle your processes for choosing and setting up admin users and how regularly access to privileged accounts is audited. Once again, this applies to all servers and devices used in your organisation.
How should you set up user permissions in your business?
Although every business has different requirements, there are some best practices we recommend you follow.
1. For SMEs, we recommend that no more than two people in your business have access to domain admin accounts for whatever software package you use – for example, Microsoft Office 365 or Google Suite.
2. You should regularly audit who has access to these accounts. In the hustle and bustle of daily business, it’s very easy for user permissions to slip and admin accounts to be used by unauthorised staff.
3. Put in place policies and, if necessary, training to ensure that administrators don’t access the internet or their emails using admin accounts.
4. Use two-factor authentication (2FA) or multi-factor authentication (MFA) on both admin and standard user accounts. This adds an extra layer of security for cybercriminals to breach in an attempted attack.
What about staff working remotely?
Things do become slightly trickier in our current working environment, with many businesses working remotely. In many cases, staff working from home will need a local admin account for their device. It’s often more practical for employees to be able to install software or make changes to their machine, rather than asking your IT team to do it remotely.
Nevertheless, most of the recommendations above still apply. Your people still need to be educated on the importance of using standard accounts for daily work and using MFA.
That’s all there is to user permissions. Setting up user and admin accounts safely is a simple change, but one that can instantly improve your cybersecurity. Hopefully, this article has helped you better understand how they work and some best practices for keeping your business safe. But, if you have any questions, please get in touch and our team is always on hand to help.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.