User Accounts: Hidden Danger From Shadow Admins

9 May 2022
| No comments
Advertising

Share post

Shadow admin accounts are overprivileged user accounts that were inadvertently assigned. If a hacker compromises a shadow admin account, this poses a high risk to company security. Silverfort lists best practices against accounts with too high privileges.

If an attacker can hijack privileged accounts and access their target systems, this massively endangers an entire network. However, identifying shadow admins and restricting their privileges is not an easy task. The following explains how shadow administrators emerge and what measures companies can take to effectively contain this hidden danger.

Advertising

This is how shadow administrator accounts are created

Human error or incorrect management of user rights

Inexperienced admins can create shadow admins by mistake or because they don't fully understand the implications of direct permission assignments. Even if there are no malicious intentions behind such shadow administrator accounts, they can still pose a risk to the environment by allowing users unauthorized access to sensitive resources.

Temporary permissions that have not been revoked

Although this is considered bad practice, in some cases IT admins grant accounts temporary permissions that make users shadow admins with the intention of removing those permissions at a later date. While this can solve immediate problems, these permissions are often retained, leaving these accounts with unattended administrative privileges.

Advertising

Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month



By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy Policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.

CleverReach

This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at: https://www.cleverreach.com/de/datenschutz/.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Shadow admins created by attackers

Once an attacker gains administrative privileges, they can set up a shadow administrator account to hide their activities.

In each of the three cases above, shadow admins pose a risk to the organization as they allow unauthorized individuals to perform activities that they should not be performing. The fact that these accounts are not monitored not only means that access to them is not restricted because the company is unaware of their existence, but also that unauthorized access and changes can go undetected. In some cases, such activities are only discovered when it is already too late, for example when an attacker exfiltrates sensitive data.

A closer look at shadow admins

A shadow administrator is a user who is not a member of an Active Directory (AD) administration group. However, this user has corresponding rights that allow him to acquire further administrative skills. These include:

  • Full control rights (user or group)
  • Write all properties (for a group)
  • Reset password (for one user)
  • All extended rights (for one user)
  • Change permissions (user or group)
  • Write member (for a group)
  • write owner (user or group)
  • The actual owner (user or group)

Additionally, any user who can take control of a shadow admin of any level is also considered a shadow admin. An example:

Legitimate Administrator: Bob is a domain admin (a member of the Domain Admins group). This means Bob has administrative access to Active Directory.

Level 1 Shadow Admin: Alice is not a member of the domain administrators group. However, Alice has the ability to reset Bob's password. Therefore, Alice can reset Bob's password, log in as Bob, and perform tasks that require domain administrator privileges on his behalf. This makes Alice a shadow admin.

Level 2 Shadow Admin: Larry can reset Alice's password. This allows him to log in as Alice, in turn change Bob's password, then log in as Bob and perform tasks that require domain administrator privileges. This makes Larry a second-level shadow admin. And it's not just Larry: there may be another shadow administrator who can reset Larry's password and so on. An organization can potentially have a large number of shadow administrators in its network.

How to track down shadow admins

Identifying shadow admins is a difficult and complex problem. First, managers need to identify who their administrators are: that is, all users who belong to the Active Directory groups that give them administrative privileges. Some AD groups are obvious, like the "Domain Admin" group. Some groups less, however, as many organizations create different administrative groups for different business purposes. In some cases there are even nested groups. It is important to capture all members of these groups. Mapping group memberships must take into account not only the user identities that appear in the member list, but also the configurations of the users' primary group IDs.

Understanding the members of administrative groups in Active Directory is an important first step, but it is not enough to identify all privileged accounts in the domain. The reason for this is that the shadow admins are not one of them. To track down the shadow admins, officials must analyze the Access Control List (ACL) permissions granted to each account.

Analyzing ACL permissions manually - a never-ending task

As discussed above, to track down shadow admins, those responsible for tracking down shadow admins must analyze the ACL permissions of each account in AD to determine whether the account has permissions for administrative groups or individual admin accounts. This in itself is a very difficult, if not impossible, manual task.

Martin Kulendik, Regional Sales Director DACH at Silverfort

Martin Kulendik, Regional Sales Director DACH at Silverfort (Image: Silverfort).

If responsible persons are able to carry out this analysis, they receive the first level of shadow administrators. But that's not enough - all ACLs must now be re-analyzed to understand who has permission to modify these first-level shadow admins. And this process must continue until all levels of existing shadow administrators are uncovered. If responsible persons also find a shadow administrator group, this complicates things further. The bottom line is that this analysis is not a manual task.

UIP: Automatic identification of shadow admins

Unified Identity Protection is a new technology that consolidates an organization's existing IAM security controls and extends them to all of the organization's users, assets, and environments. Through its agentless and proxyless architecture, this solution can monitor all access requests from users and service accounts across all assets and environments, and extend high-precision risk-based analysis, conditional access and multi-factor authentication policies to all resources in the hybrid enterprise environment to cover

The protective measures can also be extended to assets that could not previously be protected. These include, for example, homegrown and legacy applications, critical infrastructure, file systems, databases and admin access tools such as PsExec, which currently allow attackers to bypass agent-based MFA.

Unified Identity Protection Platform

In addition, a unified identity protection platform automatically identifies shadow admin accounts that should be reviewed to determine whether their permissions are legitimate or not. The technology periodically queries Active Directory to get the various ACLs of all objects in the domain. It automatically identifies the common administrator groups. The solution then analyzes the ACLs looking for shadow admin users and groups that have the same rights as the members of those admin groups - rights that effectively make them shadow admin accounts/groups. The program analyzes the ACLs as often as needed to identify all levels of shadow admin accounts and groups and ensure those responsible have full visibility into these potentially malicious accounts.

AD admins should then review this comprehensive list to determine whether or not the permissions of these shadow admin accounts and groups are legitimate, and whether they should be restricted or monitored.

Continuous monitoring of all access requests

In addition, a unified identity protection solution continuously monitors and analyzes all access requests within the domain. It considers shadow admins to be high-risk accounts. The technology automatically and in real-time identifies sensitive activity, such as an attempt to reset a user's password, and either issues an alert or prompts the user to verify their identity with multi-factor authentication (MFA) before doing so Allow password reset. This can prevent unauthorized changes to user accounts, as well as unauthorized access to sensitive resources on the network.

With Unified Identity Protection, organizations can thus manage and protect all their assets across all environments with consistent policies and visibility to effectively counter the multiple identity-based attack vectors, including the risks posed by shadow administrators.

More at Silverfort.com

 

About Silverfort

Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls in corporate networks and cloud environments in order to ward off identity-based attacks. Through the use of innovative agent-free and proxy-free technology, Silverfort integrates seamlessly into all IAM solutions, standardizes their risk analysis and security controls and extends their coverage to assets that previously could not be protected, such as self-developed and legacy applications, IT infrastructure , File systems, command-line tools, machine-to-machine access and more.

 

Matching articles on the topic

Over 130.000 data breaches in Europe in 2024

In the 15 European nations, there were over 2024 data breaches every day in 365, according to the results of a recent analysis. In Germany ➡ Read more

DDoS attacks: the most important means of cyber warfare

In the second half of 2024, there were at least 8.911.312 DDoS attacks worldwide, according to the results of a recent DDoS Threat Intelligence Report. ➡ Read more

Cybercrime: Russian-speaking underground is leading

A new research report provides a comprehensive insight into the Russian-speaking cyber underground, an ecosystem that has fueled global cybercrime in recent ➡ Read more

Cyber ​​Resilience Act: Companies should act now

The Cyber ​​Resilience Act (CRA) is coming in leaps and bounds. This means that manufacturers will soon no longer be able to ➡ Read more

Use of AI/ML tools increased by 3000 percent

AI/ML tools are popular, according to the findings of a recent threat report. However, their increased use also brings with it security risks. Cybercriminals ➡ Read more

Vishing: Criminals rely on voice phishing attacks

Using AI-generated deepfakes, cybercriminals imitate trusted voices. Vishing exploded in the second half of 2024, according to the results of a ➡ Read more

Digital Trust Index: Trust in digital services is declining

Digital trust or fear of a data breach influences whether consumers turn to or away from brands, according to the results ➡ Read more

Software security is inadequate in half of the companies

The 15th edition of the "State of Software Security Report", which is based on a comprehensive dataset of 1,3 million individual applications and 126,4 million ➡ Read more

Stories
, , , , ,