Basic Server Security – The Importance Of User Access Controls
On most operating systems, the first user created is intended for system administration tasks. On Windows this user is usually called Administrator, and on Linux it is called root. A mistake often made by new server administrators is to use these administration accounts for all tasks, which can cause potential security risks. Most server platforms allow you to create multiple users, and in this article we’ll go through some reasons why you should do this.
Brute Force Attacks
First – we have brute force attacks. As these standard administration usernames are well known, attackers regularly use them when performing brute force attacks against servers. It’s possible to prevent these accounts from being logged into remotely, which can significantly reduce the chances of a successful brute force attack. To do so though, you’ll need to create alternative user accounts to log in with to manage the server first.
To resolve the issue of users accessing the administrative account for day to day work, you might think that it would be fine to just create a single additional account. However there are a number of downsides to this. Since software preferences and configuration are normally tied to a user’s account, all the users logging into that account share the configuration, settings and application preferences.
Personal Preferences
Users often have different preferences for software and tools that they use on the server. By providing each user with their own account, this can prevent potential arguments over which software should be default and how it should be configured by allowing each user to have their own configuration. As an extension of this, if the users need to perform regular work on the server, by having separate user accounts their files can then also be kept separate and private.
Security Risks
Security can also be impacted by having multiple users sharing the same account. The account will need system administration permissions for the user who carries out the most important work. This means that if the account is compromised, the hacker would have a high level of access on the server. Users would also have high levels of accessibility that they do not need. By providing each user their own account,each user can then set their own preferences and can keep their own files and settings private. You can also set the access permissions of each user account to match that specific user’s needs, limiting the amount of access an attacker can gain if they manage to break into the account. The chances of this should also be lower, since if multiple users are sharing the same account then the password for the account will need to be shared between the users, increasing the chance of an attacker managing to intercept it.
Accountability and Responsibility
Finally, having multiple user accounts increases the accountability you have for each user. Should a user make a change that causes a problem on the server, whether maliciously or by accident, the change can be traced back to their user account and the person who made the change. This means that in the case of mistakes the user can be identified and trained how to avoid the same problem in the future. If the intent is malicious then the user can have their access revoked easily.
As you can see, there many reasons to ensure that each user on your system has their own user accounts along with a number of features of the operating systems that make using user accounts worthwhile.