Shadow admin accounts are overprivileged user accounts that were inadvertently assigned. If a hacker compromises a shadow admin account, this poses a high risk to company security. Silverfort lists best practices against accounts with too high privileges.
If an attacker can hijack privileged accounts and access their target systems, this massively endangers an entire network. However, identifying shadow admins and restricting their privileges is not an easy task. The following explains how shadow administrators emerge and what measures companies can take to effectively contain this hidden danger.
This is how shadow administrator accounts are created
Human error or incorrect management of user rights
Inexperienced admins can create shadow admins by mistake or because they don't fully understand the implications of direct permission assignments. Even if there are no malicious intentions behind such shadow administrator accounts, they can still pose a risk to the environment by allowing users unauthorized access to sensitive resources.
Temporary permissions that have not been revoked
Although this is considered bad practice, in some cases IT admins grant accounts temporary permissions that make users shadow admins with the intention of removing those permissions at a later date. While this can solve immediate problems, these permissions are often retained, leaving these accounts with unattended administrative privileges.
Shadow admins created by attackers
Once an attacker gains administrative privileges, they can set up a shadow administrator account to hide their activities.
In each of the three cases above, shadow admins pose a risk to the organization as they allow unauthorized individuals to perform activities that they should not be performing. The fact that these accounts are not monitored not only means that access to them is not restricted because the company is unaware of their existence, but also that unauthorized access and changes can go undetected. In some cases, such activities are only discovered when it is already too late, for example when an attacker exfiltrates sensitive data.
A closer look at shadow admins
A shadow administrator is a user who is not a member of an Active Directory (AD) administration group. However, this user has corresponding rights that allow him to acquire further administrative skills. These include:
- Full control rights (user or group)
- Write all properties (for a group)
- Reset password (for one user)
- All extended rights (for one user)
- Change permissions (user or group)
- Write member (for a group)
- write owner (user or group)
- The actual owner (user or group)
Additionally, any user who can take control of a shadow admin of any level is also considered a shadow admin. An example:
Legitimate Administrator: Bob is a domain admin (a member of the Domain Admins group). This means Bob has administrative access to Active Directory.
Level 1 Shadow Admin: Alice is not a member of the domain administrators group. However, Alice has the ability to reset Bob's password. Therefore, Alice can reset Bob's password, log in as Bob, and perform tasks that require domain administrator privileges on his behalf. This makes Alice a shadow admin.
Level 2 Shadow Admin: Larry can reset Alice's password. This allows him to log in as Alice, in turn change Bob's password, then log in as Bob and perform tasks that require domain administrator privileges. This makes Larry a second-level shadow admin. And it's not just Larry: there may be another shadow administrator who can reset Larry's password and so on. An organization can potentially have a large number of shadow administrators in its network.
How to track down shadow admins
Identifying shadow admins is a difficult and complex problem. First, managers need to identify who their administrators are: that is, all users who belong to the Active Directory groups that give them administrative privileges. Some AD groups are obvious, like the "Domain Admin" group. Some groups less, however, as many organizations create different administrative groups for different business purposes. In some cases there are even nested groups. It is important to capture all members of these groups. Mapping group memberships must take into account not only the user identities that appear in the member list, but also the configurations of the users' primary group IDs.
Understanding the members of administrative groups in Active Directory is an important first step, but it is not enough to identify all privileged accounts in the domain. The reason for this is that the shadow admins are not one of them. To track down the shadow admins, officials must analyze the Access Control List (ACL) permissions granted to each account.
Analyzing ACL permissions manually - a never-ending task
As discussed above, to track down shadow admins, those responsible for tracking down shadow admins must analyze the ACL permissions of each account in AD to determine whether the account has permissions for administrative groups or individual admin accounts. This in itself is a very difficult, if not impossible, manual task.
Martin Kulendik, Regional Sales Director DACH at Silverfort (Image: Silverfort).
If responsible persons are able to carry out this analysis, they receive the first level of shadow administrators. But that's not enough - all ACLs must now be re-analyzed to understand who has permission to modify these first-level shadow admins. And this process must continue until all levels of existing shadow administrators are uncovered. If responsible persons also find a shadow administrator group, this complicates things further. The bottom line is that this analysis is not a manual task.
UIP: Automatic identification of shadow admins
Unified Identity Protection is a new technology that consolidates an organization's existing IAM security controls and extends them to all of the organization's users, assets, and environments. Through its agentless and proxyless architecture, this solution can monitor all access requests from users and service accounts across all assets and environments, and extend high-precision risk-based analysis, conditional access and multi-factor authentication policies to all resources in the hybrid enterprise environment to cover
The protective measures can also be extended to assets that could not previously be protected. These include, for example, homegrown and legacy applications, critical infrastructure, file systems, databases and admin access tools such as PsExec, which currently allow attackers to bypass agent-based MFA.
Unified Identity Protection Platform
In addition, a unified identity protection platform automatically identifies shadow admin accounts that should be reviewed to determine whether their permissions are legitimate or not. The technology periodically queries Active Directory to get the various ACLs of all objects in the domain. It automatically identifies the common administrator groups. The solution then analyzes the ACLs looking for shadow admin users and groups that have the same rights as the members of those admin groups - rights that effectively make them shadow admin accounts/groups. The program analyzes the ACLs as often as needed to identify all levels of shadow admin accounts and groups and ensure those responsible have full visibility into these potentially malicious accounts.
AD admins should then review this comprehensive list to determine whether or not the permissions of these shadow admin accounts and groups are legitimate, and whether they should be restricted or monitored.
Continuous monitoring of all access requests
In addition, a unified identity protection solution continuously monitors and analyzes all access requests within the domain. It considers shadow admins to be high-risk accounts. The technology automatically and in real-time identifies sensitive activity, such as an attempt to reset a user's password, and either issues an alert or prompts the user to verify their identity with multi-factor authentication (MFA) before doing so Allow password reset. This can prevent unauthorized changes to user accounts, as well as unauthorized access to sensitive resources on the network.
With Unified Identity Protection, organizations can thus manage and protect all their assets across all environments with consistent policies and visibility to effectively counter the multiple identity-based attack vectors, including the risks posed by shadow administrators.
More at Silverfort.com
About Silverfort Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls in corporate networks and cloud environments in order to ward off identity-based attacks. Through the use of innovative agent-free and proxy-free technology, Silverfort integrates seamlessly into all IAM solutions, standardizes their risk analysis and security controls and extends their coverage to assets that previously could not be protected, such as self-developed and legacy applications, IT infrastructure , File systems, command-line tools, machine-to-machine access and more.