Today on Twitter a friend of mine posted that the AV on his SQL Server flagged two trojans that were tied to an IT person in his organization. Naturally I asked about whether they were using two levels of accounts. The answer was, "No." Two accounts? Whatever for?
- The first account, which doesn't have administrative rights anywhere, is what is used day-to-day. It is what you use to check email, compose documents, etc.
- The second account, which has the elevated rights, is never used directly on the workstation. It may be used to log into a server via RDP, etc.
The reason for the two levels is that if a piece of malware does come through, it runs under the context of the first account (unless it exploits a vulnerability which allows privilege escalation... patching helps mitigate that). That account doesn't have special rights anywhere, so the amount of damage that can be done is limited. Certainly if one's lower-privilege account gets hit, it means none of the servers are in danger (previous proviso excepted).
Using the second account takes a little getting used to, but it's not hard. Basically you're going to use Run as Different User by holding shift and right-clicking on the icon or, by using runas /user:*username* *application* if it can be seen from the command-line. This ensures that only the process runs as the privileged user, meaning it's protected.
This is a relatively simple security control to implement. It does mean remembering two password and maintaining two sets of accounts. But it mitigates an account being infected by the normal vectors for malware and then other systems downstream getting hit.