As an executive, at some point you probably did have a thought about going to the IT department and asking them for Full Access privileges. After all, you are the boss. You are in charge. This means you need to have all the possible permissions in your IT system, right?
Of course, it’s tempting to have things like ‘Full access’. That sounds nice and makes you feel even more powerful. But do you need it? In fact, having the IT permissions you don’t need can come out as a very bad idea that will have its consequences.
The general best practice is to follow the Least Privilege Principle. In a nutshell, it’s pretty much self-descriptive. Every user at all times must have the exact amount of permissions they need. No more, no less. This applies to absolutely everyone: regular users, managers, admins, help desks, executives. No exceptions.
If you request full access rights from the IT and get them, you impose some serious risks on your organization. As some say, with great power comes great responsibility. Literally.
Target for attacks
Executives’ accounts are an often targeted by all sorts of attacks. Such accounts get compromised much more often than, say, regular users. That’s because the reward for the attacker is bigger. And by giving yourself admin permissions you simply increase this reward and make a potential breach much more serious than it could be.
There’s also the competence question. Do you really know, how all your system work? Do you really know, exactly what permissions are you getting by giving yourself ‘Full Access’? Are you sure that you won’t mess something up without even noticing? Just be honest with yourself.
There’s nothing bad or shameful about not being fully competent about all the IT things that happen under the hood. You have your own job, admins have their own. But acknowledging that you shouldn’t have the instruments you don’t know how to use, is a serious step that has to be taken. Even if it comes with a grain of salt for some.
Also note that there might be legal reasons why you shouldn’t get admin rights. It will very much depend on your country and the industry you are working in, but generally, there might be severe risks. The fact is that if you just get full admin access to your system, you automatically get access to personal info of your employees.
Your IT staff most probably don’t have law degrees, so they won’t be able to tell if it’s illegal to give you access to some personal information of the users stored in your system.
If after considering all the risks you still need admin permissions, there is a way to do that. Just create a separate account with all the relevant permissions and only use it when it’s needed. Never assign admin privileges to the account you use every day. You should also use a separate and more complex password and have all the strict policies applied to it.
There are multiple approaches you can achieve the least privilege principle. We at Softerra prefer the Role-Based Access Control Model (RBAC) that we use in Adaxes. It allows you to granularly and efficiently delegate permissions and easily manage the whole thing from a centralized place.
Delegate your permissions properly. And don’t overuse them if it’s not needed.
Anton Pozdnyakov, CMO.
Softerra provides Adaxes, a comprehensive management and automation solution for Active Directory, Exchange and Office 365. It helps enterprises to increase IT security, reduce workload on IT staff and enforce data standards.
Latest posts by Anton Pozdnyakov
- You Don’t Need Admin Permissions - 10/31/2017
- How to protect your company from ex-employees’ threat - 09/15/2017