![]() ![]() ![]() Reduced malware infection and propagation: As the malware (such as SQL injections) would be denied the privileges necessary to elevate processes that allow it to install or execute. ![]() As with privileged accounts, applications can be compromised, with the threat actor then able to leverage the elevated privileges of the application in leveraging their attack.Ī condensed attack surface: Limiting privileges for people, processes, and applications means the pathways and ingresses for exploit are also diminished. For instance, some apps might request access to sensitive resources or require a higher level of privileges to perform a function. In addition to privileged accounts, a least privilege strategy will also need to account for privileged processes within applications, services, etc. Because administrative accounts possess more privileges, and thus, pose a heightened risk if compromised or misused compared to standard user accounts, a best practice is to only use these administrator accounts when absolutely necessary, and for the shortest time needed. While most non-IT users should, as a best practice, only have standard user account access, some IT roles (such as a network admin) may possess multiple accounts, logging in as a standard user for routine tasks, while logging into a superuser account to perform administrative activities. Have access that is even more restricted than standard user accounts. In a least privilege environment, these are the type of accounts that most users should be operating in 90 – 100% of the time. Sometimes called least-privileged user accounts (LUA) or non-privileged accounts, have a limited set of privileges. There are many different types of privileged accounts, but superuser accounts are the most powerful, and, if misused, the most dangerous. In Linux and Unix-like (including Mac) systems, the superuser account, called ‘root’, is virtually omnipotent over the system, while in Windows systems, the Administrator account holds superuser privileges. Superuser account privileges can include full read/write/execute privileges, and the power to render systemic changes across a network, such as creating or installing files or software, modifying files and settings, and deleting users and data. Primarily used for administration by specialized IT employees, may have virtually unlimited privileges, or carte blanche, over a system. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |