7 Best Practices to Secure System Administrators’ Privileged Accounts

System administrators hold the keys to your organization’s cybersecurity. However, their accounts can also be a source of cybersecurity risks to your company. Both cybercriminals and malicious administrators can exploit the elevated privileges for their own benefit.

In this article, we explore key risks coming from admin accounts and offer seven effective system administrator security best practices for protecting privileged access to your organization’s critical systems and data.

Why system administrators deserve special attention

Keys help you enter your home, but a thief can use them too.

System administrators are employees responsible for installing, maintaining, and configuring an organization’s computer systems, networks, and servers. Working with both hardware and software, they have to follow strict cybersecurity policies to ensure the security of a company’s sensitive data and the entire IT infrastructure.

System administrators have more access rights than other employees. They can:

• Access all files and data within the corporate network
• Create and delete accounts, both regular and privileged
• Assign access rights to user accounts
• Download, upgrade, and remove software
• Modify corporate systems

Depending on an organization’s type and size, system administrators can be categorized as follows:

• Database administrators are responsible for data integrity and the efficiency, maintenance, and performance of the database system.
• Network administrators maintain network infrastructure such as switches and routers and find problems within the network.
• Security administrators handle computer and network security and communicate general security measures to an organization’s staff.
• Web administrators maintain web server services that allow for internal or external access to websites and may also manage software.
• Computer administrators perform routine maintenance and upkeep of computer equipment, such as changing backup tapes or replacing failed drives in a redundant array of independent disks.
• Telecommunications administrators are responsible for maintaining equipment and networks that provide data and voice communication systems, such as telephone, video conferencing, computer, and voicemail systems.

In some organizations, system administrators can take on several or even all of these roles. But since sysadmins have this degree of access, their accounts pose a significant threat to system security.

Top 3 threat vectors for system administrators’ accounts

What can go wrong with your keys?

Because of their elevated access rights, sysadmin accounts carry potential risks for the organization’s cybersecurity. Elevated privileges can harm an organization if they fall into the wrong hands.

If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.

Tim Cook

Major threat vectors related to system administrators’ accounts are:

Let’s take a closer look.

External cyber attacks

A criminal can open the doors with your keys.

Cybercriminals can steal or disrupt an organization’s sensitive data by compromising a sysadmin’s account. It’s especially widespread in the top most targeted industries. While there are a number of ways to compromise a sysadmin’s account, most involve gaining account credentials.

Insider-related credential theft is one of the costliest threats to remediate, with an average of $679,621 per incident according to the 2023 Cost of Insider Threats Global Report.

Compromised administrative accounts can cost substantially more because elevated account privileges grant access to far more valuable assets.

To compromise a sysadmin’s account, cybercriminals can use the following:

• Keylogging malware

Keylogging malware captures users’ keystrokes, thereby acquiring logins and passwords. The information is then sent to an attacker. This malware can be intentionally installed on a computer by a malicious insider or by an outside attacker. Common techniques for installing keylogging malware include drive-by downloads, infected USB devices, and watering hole attacks.

• Phishing techniques

Even the most sophisticated firewall can be useless when social engineering comes in. Cybercriminals can email their victims on behalf of a trusted source and trick the recipients into compromising important data or account credentials. A phishing email may also contain a malicious file. While looking like a regular document, an attachment may have a virus that will infect the system if opened.

• Hacked user databases

Sometimes, e-commerce and social media websites get hacked and their databases along with user credentials end up in cybercriminals’ hands. The problem is that people tend to reuse their passwords for both personal and corporate accounts. As people tend to reuse their passwords for multiple accounts, attackers can successfully use credentials compromised in public breaches against corporate accounts.

• Pass-the-hash attacks

This hacking technique allows an attacker to steal a password hash instead of stealing complete passwords. To perform a pass-the-hash attack, an attacker can dump authenticated user credentials stored in memory or dump the local user’s account database.

• Credential stuffing and password spraying

A credential stuffing attack is possible if an attacker gains access to a list of credentials like passwords and tries to use them against multiple accounts to see if there’s a match. A password spraying attack is performed when a cybercriminal has a list of usernames and tests each username against a list of the most commonly used passwords. They can also try to bypass the limit of repeated password attempts by using multiple IP addresses.

• Vulnerability exploits

Cybercriminals may use system vulnerabilities or system administrators’ negligence to take control over sysadmin accounts. For example, if a sysadmin logs in to a hacked computer, their account can get compromised.

System administrator negligence

Holding the keys entails responsibility.

System administrators themselves are sometimes unwittingly responsible for account compromise. External attacks are frequently successful due to a careless attitude towards performing sysadmin duties.

Let’s take a look at ways administrators might assist in compromising their credentials:

• Logging on to unsecured endpoints

Logging on with administrator accounts to unprotected computers outside an organization’s perimeter may expose such accounts to attackers. This is especially relevant now, in the remote work reality, when even a system administrator may be working from home via their personal laptop. If the unsecured computer is infected with malware or hacked in some other way, the privileged account can be easily compromised.

• Sharing administrative accounts

Instead of having several identities, system administrators may share a single super-admin account to accomplish numerous tasks. For example, someone might use it to set up a new employee’s computer while another person configures the company’s network. When a shared admin account is abused, identifying the perpetrator might be difficult.

If such an account is compromised at one of the endpoints, the entire system is in danger. In addition, it’s much harder to recover or disable such a highly privileged account.

• Using administrative accounts for daily activities

A similar risk is related to using the system administrator account to perform everyday tasks such as checking email, chatting on social media, downloading content, or simply surfing the internet. Though seemingly innocent, these activities conceal a number of ways to compromise an admin account, freeing the perpetrator’s hands to carry out their malicious plan.

Plus, if a compromised account has administrative Active Directory rights, the whole domain may be in danger.

• Using poor password management practices

Poor password handling is unacceptable among system administrators, who are supposed to promote system security instead of exposing the system to risks. Nonetheless, some sysadmins have unhealthy password habits.

To name a few:

• Using the same password for different administrative accounts
• Not updating passwords regularly
• Storing passwords in the browser cache
• Sharing credentials with colleagues

Such negligence paves the way to a compromised admin account.

• Having too many administrative accounts in the system

Overpopulating the system with administrative accounts expands the attack surface. The more administrative accounts you have in an organization’s network, the higher the risk of one of them getting compromised.

In addition, it’s hard to maintain and manage a large number of accounts (rotate passwords regularly, remove access rights that accounts no longer need, track account activity, etc.).

Malicious activity of system administrators

Do you trust the person holding your keys?

As we discussed earlier, full access rights to your organization’s systems provide system administrators with almost unlimited opportunities.

In wicked hands, this power can harm your organization in a variety of ways:

Whether driven by a desire for personal benefit or managed from the outside, as in cases of industrial espionage, malicious insiders are extremely difficult to identify.

Here’s why:

System administrators are good at camouflaging their actions. Elevated access rights allow them to cover traces of cybercrime by using accounts of other employees, deleting applications, and erasing or modifying event logs.

It can take years to detect a crime committed by a malicious sysadmin. For instance, Brandon Coughlin, who was sentenced to prison only in 2017, created an undisclosed administrative account with full access and control of a Pennsylvania clinic group’s computer system just two days after he finished his job at the company back in 2013. He proceeded to make fraudulent technology purchases and delete computer settings and data until mid-2015, when the clinic group finally changed the system administrator’s credentials. His actions caused a financial loss of approximately $60,000 to the group.

Now that we’ve discussed the risks posed by users with elevated privileges, let’s move to local admin best practices for securing your IT infrastructure.

7 security best practices for system administrators’ privileged accounts

How to protect administrator accounts?

There are multiple ways administrative accounts can be compromised. Fortunately, there are local administrator account best practices you can apply to minimize the risks posed by privileged users and sysadmins:

1. Assess the risks posed by system administrators

Think about how your keys can be abused.

Identify all of your critical assets and people who have unrestricted access to them. Think about how many system administrators your organization has. What access rights do they possess? How can you make sure that sysadmins follow your security policies?

Use this information to choose the right security controls and implement an efficient strategy for administrator privileged account security.

2. Establish robust security policies

Describe how everyone should be using your keys.

Make sure you have formal written policies on working with corporate networks and systems. Clearly describe all cybersecurity measures applied within your organization. Take a look at Stanford University’s Guide for System Administrators and the University of Arizona’s Acceptable Use for System Administrators Policy.

Although administrators are cybersecurity professionals themselves, ensure that they are aware of and follow all of your security requirements.

3. Enhance your password management

Don’t just hide the keys under the mat.

Implementing password management best practices is essential both for cybersecurity and compliance purposes. For example, you can find special NIST and HIPAA password requirements you should follow.

Enrich your security policies with a description of healthy password habits, such as creating complex passwords, updating them regularly, and using different passwords for different accounts.

However, this might not be enough.

To secure root and administrator credentials within your organization, apply practices recommended by cybersecurity regulations and standards relevant to your industry.

For example, you can use dedicated password management solutions. Consider Syteca – a universal insider risk management platform with privileged access management (PAM) functionality that will allow you to securely store, deliver, and handle administrative credentials.

4. Use and manage accounts wisely

Keep the keys safe.

Check these helpful tips on how to securely use and manage accounts of system administrators:

• Limit the use of admin accounts. Make sure that your system administrators use their admin accounts only when needed and use regular accounts for daily tasks. Also, try to keep admin accounts signed out. Staying signed in permanently increases the likelihood of account compromise.
• Create separate accounts for different admin duties. Create separate roles for your admins based on the tasks they need to perform and the level of access required. You can create one super admin account and multiple role-based (less privileged) admin accounts. This will help you limit the amount of power held by each admin and minimize the scope of possible privilege abuse. To find out more about role-based access control (RBAC) and attribute-based access control (ABAC), you can refer to our article on the differences between ABAC and RBAC.
• Avoid using shared admin accounts. Sharing one administrator account with multiple users makes it impossible to monitor and audit actions of particular users. If you have no other choice but to use a shared account, consider applying secondary authentication, as it helps to identify actions of individual users of a shared account.

To manage administrative accounts more efficiently, you can use the PAM capabilities of Syteca. It will allow you to configure different levels of access for your sysadmins’ accounts.

5. Restrict access to critical systems

Do not just give the keys to everyone. And keep the doors shut.

Elevated access permissions are what make system administrators’ accounts so attractive to malicious users. To minimize the chances of a system administrator’s account being compromised, consider implementing the principle of least privilege, providing your admin users only with the rights they need to perform their direct duties. If you want to secure your critical assets even more, think about deploying the zero trust model, where only verified users get to access protected data and systems.

If you decide to implement the above concepts, Syteca’s PAM functionality can help you with that. Syteca will enable you to:

• Get full visibility over all accounts of system administrators and regular users
• Manage system administrators’ access rights in your infrastructure
• Secure remote access of sysadmins to critical endpoints
• Verify identities of your system administrators with the help of two-factor authentication

Given that, Syteca can help you minimize the chances of malicious actors accessing your corporate network even if they manage to compromise an admin account.

6. Monitor system administrators’ activity

Get your house a surveillance system.

Ensuring proper privileged user monitoring and audit is a great way to enhance your cybersecurity. Records of user sessions will provide you with information on who did what, where, and when. Also, these records can be used as evidence during a cybersecurity incident investigation.

Syteca will allow you to:

• Monitor the activity of your system administrators and other users and record it in a video format
• Watch recorded and live user sessions in an intuitive YouTube-like player
• Search by a variety of factors, including launched applications, visited websites, typed keystrokes, executed commands and scripts, and more
• Manage all USB devices used by system administrators in your infrastructure and block unapproved devices automatically
• Export monitoring data via a set of customizable reports and conduct an internal audit of all sysadmin activity performed inside Syteca

With the help of Syteca, you can ensure compliance with major cybersecurity standards and regulations.

7. Create a solid incident response plan

Protect your house with an alarm system.

Create a well-thought-out plan for what your personnel will do if a system administrator’s account is compromised. Writing down procedures will help your staff effectively react on time in a critical situation. An incident response plan will help minimize the damage caused by an external attacker or an insider.

Think about optimizing and automating security incident handling in your organization.

With Syteca’s automated incident response, you can:

• Receive email notifications about suspicious events and respond in a timely manner
• Respond to detected threats automatically by blocking users/processes, or by showing a violator a warning message

Conclusion

It’s hard to overstate the role of system administrator cybersecurity in organizations’ well-being. Similarly, it’s easy to underestimate the risks system administrators pose with their elevated privileges. Whether done by a skilled hacker or a malicious insider, privilege exploitation can severely damage your security system and sensitive data.

To avoid this, follow the system administration best practices we have discussed in this article. Securing administrative accounts implies assessing possible risks and establishing effective policies for using such accounts.

As an efficient insider risk management platform, Syteca can help you properly secure access for IT admins. With our reliable activity monitoring, automated incident response, and access management functionalities, you can considerably reduce the likelihood of privileged account compromise in your organization.