The first time I really felt like I was a system administrator was when the Unix systems administrator in the IT unit I worked for at an Australian University went on leave for three months. During this time I was responsible for all of the servers that he had managed, which included all minor departmental servers, not just the scattered ones I looked after, as well as the important faculty level servers. Although I’d been responsible for a couple of minor departmental servers before then, this was the first time I really worked without a safety net as, without this guy around, there was no one within reach who could help me out if something went wrong.
When he was performing the handoff, I noticed something interesting. The administrator and root accounts for all the servers he was responsible for used exactly the same password. The root account password for the faculty web server (a DEC Alpha running UNIX) was the same as the password for the Administrator account in the faculty Windows NT 4 domain. I knew that the process was questionable even if it did make the handoff very simple.
After the administrator returned from his trip, he didn’t change passwords on any of the systems. When I left that position a year later, the servers all still had the same password. This was definitely a case where convenience triumphed over good security practice.
It’s no news to anyone that people hate the process of updating their passwords and that people hate having separate passwords for separate services and systems. Ordinary users don’t have much choice when it comes to having to update their passwords because they can’t change the policies enforced by IT. They change passwords because they have to, not because they have any deep appreciation of the arguments about password security.
System administrators are in a position where they can get around these policies. In talking with many of them, a sizable number will sheepishly admit that they don’t change their passwords, even though they force the users with normal user accounts to do this. The system administrators who do change their passwords regularly don’t do so out of any deep appreciation of the arguments around password security. It’s usually because there is an auditing or enforcement mechanism in place that raises an alert if they don’t change their password.
Regularly changing administrator account passwords is even more important than regularly changing unprivileged user account passwords. If an attacker gets the password of an administrative assistant, there is only a certain amount of mischief that they can perpetrate. If an attacker gets the password of a systems administrator, the entire organization’s infrastructure is at risk. Administrator passwords need to be subject to more stringent security requirements because the consequences if these accounts are compromised are much greater.
It’s vital for organizations to perform regular checks to ensure that system administrators are updating their passwords on a regular basis. If these checks aren’t performed, there is little reason to believe that system administrators will do the right thing of their own accord. A system should be in place where notifications are raised each time a privileged account password is not updated after a certain period of time. This allows you to be sure that the passwords are being updated on a regular basis. Luckily, there are good free tools for that, which are easy to install and help streamline security.
With Windows Server, it’s possible to run a query against Active Directory to determine which accounts are configured so that the associated password never expires. Best practice is that no accounts are configured in this manner. An interesting question to ask yourself is: “How many systems administrator accounts in my own organization are configured so that their passwords will never expire?”
Unless your organization has exceptionally good security practices, I’m betting the answer will be “more than one”.