Blog / The Devil You Know…

While the story makes great bedtime reading – and could be the script for a made-for-TV late-night mystery, it terrorizes HR and senior managers and keeps them up at night. No one likes to think a trusted colleague is sprouting horns or carrying a pitch fork.

We take for granted that the electronic measures used to protect confidential data work well enough to prevent unauthorized access.  For average day-to-day transactions this is true. We use file permissions and user rights to restrict access to certain classes of information and files.  The same holds true for Emails – what’s in your inbox is not available to others unless you grant them permission. But, these measures can be circumvented.

Just about ALL modern-day networks are controlled by the main server – called the Domain Controller.  It acts as the traffic cop on the network and manages permissions for users and files. However, there is a master account – called the Administrator account – with permission to look at EVERYTHING – no exceptions.  Anyone with access to the Administrator account has the virtual keys-to-your-kingdom.  ANYTHING can be read, edited, shared, or deleted by the Administrator. You can even erase or alter logs that track who does what.
This is significant power and responsibility – and so you need to understand who has the Administrator credentials for your network. When Trinus manages a network for a client, we store the Administrator credentials in an encrypted form in our secure database, and only those in our organization with a need-to-know have the correct password to de-crypt your Administrator account information. It’s different access password for each client.

In other words, we make it very hard for someone to circumvent our security as we treat this responsibility seriously.

I wish more of our clients did.  On more than one occasion in the past 3 months we have been asked to give full Administrator credentials to a client’s employee.  In one case, the client wants a junior staff member to expedite password resets for users. Expedient – yes, prudent – maybe not.

Here are a few tips on how to close this security door and sleep a little better:

  • Treat the Administrator credentials like the keys to your vault – only selected and trusted senior people should have it or perhaps it’s best left to an independent 3rd party like your IT Provider.
  • If you must utilize Administrator privileges, have your Primary Technician or Network Administrator create a quasi-Administrator account with very limited powers and use that account to make limited server changes.
  • Have your Primary Technician perform all critical server work, including user account management
  • If you suspect the Administrator credentials have been compromised, have your Primary Technician change the password immediately.

If you would like more information on how to protect your server’s Administrator account, contact your Primary Technician.