Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Why having two accounts is a good thing

Today on Twitter a friend of mine posted that the AV on his SQL Server flagged two trojans that were tied to an IT person in his organization. Naturally I asked about whether they were using two levels of accounts. The answer was, "No." Two accounts? Whatever for?

  • The first account, which doesn't have administrative rights anywhere, is what is used day-to-day. It is what you use to check email, compose documents, etc.
  • The second account, which has the elevated rights, is never used directly on the workstation. It may be used to log into a server via RDP, etc.

The reason for the two levels is that if a piece of malware does come through, it runs under the context of the first account (unless it exploits a vulnerability which allows privilege escalation... patching helps mitigate that). That account doesn't have special rights anywhere, so the amount of damage that can be done is limited. Certainly if one's lower-privilege account gets hit, it means none of the servers are in danger (previous proviso excepted).

Using the second account takes a little getting used to, but it's not hard. Basically you're going to use Run as Different User by holding shift and right-clicking on the icon or, by using runas /user:*username* *application* if it can be seen from the command-line. This ensures that only the process runs as the privileged user, meaning it's protected.

This is a relatively simple security control to implement. It does mean remembering two password and maintaining two sets of accounts. But it mitigates an account being infected by the normal vectors for malware and then other systems downstream getting hit.


Comments

Posted by dyfhid on 22 April 2011

Brian,

Great article, this will be shared with the team!

David

Posted by Christopher G.S. Johnson on 22 April 2011

I never encountered the set-up to which you are referring, Brian, until I started in current position with a government contractor.  Having always had administrator/elevated rights accounts in the past, I can definitely say that it takes some getting used.

Posted by Jason Brimhall on 22 April 2011

Agreed - it takes getting used to but is useful.

Leave a Comment

Please register or log in to leave a comment.