+ Reply to Thread
Results 1 to 12 of 12
  1. Member
    Join Date
    Feb 2012
    Location
    Thousand Oaks, CA
    Posts
    92

    Certifications
    A+, Network+, Security+
    #1

    Default 2 Acct Requirement for Admins

    Darril's book discusses this as an account management policy. I have heard that if a user is using an administrator account, the account receives two SIDs. One of them is for a standard user account and the other for the admin account. The user is not granted the escalated privileges of the administrator account until they do something that actually requires those privileges. If I am correct (and I don't know if I am) then why is there a two account requirement for administrators in order to reduce the exposure to attack? Wouldn't that exist automatically if what I said is correct?
    Reply With Quote Quote  

  2. SS -->
  3. Achieve excellence daily
    Join Date
    May 2012
    Location
    Washington State
    Posts
    1,342

    Certifications
    CISSP
    #2
    I think the user has to manually grant the privilege and supply the password, indicating they intend to take this action.

    The way a lot of companies do it is that each IT member is given a standard user account like everyone else that they use to work daily. They have a separate account which has greater rights that they can use as needed. This way if their primary account (the one they use the most) is compromised, the risk is as small as possible.
    Reply With Quote Quote  

  4. Why is the rum gone!? paulgswanson's Avatar
    Join Date
    Oct 2011
    Location
    Jacksonville, Fl
    Posts
    302

    Certifications
    A+, Network+; Security+, Project+, MTA:N, MTA:OS, MTA:Sec, CIW Web Foundations
    #3
    I think CarlSaiyed 's explanation is accurate. I for one have 3 different ID's for exact that purpose.
    Reply With Quote Quote  

  5. Senior Member kriscamaro68's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    1,148

    Certifications
    MCSA: 2012R2, MCS: Server Virtualization, MCTS-Win7, Security+, Server+, Net+, A+
    #4
    I have an admin account that is used for all desktop computers so that when I log in I have admin access. I also have an admin account for strictly server related access. Now the reason for this is if my laptop or someone elses laptop or desktop is stolen or compromised and they are able to crack my password then all they can do is access desktops and laptops. Keeping my server admin acct with higher level of access from being used on desktops and laptops now only gives the malicious user access to less harmful systems and not all the servers I deal with which would be really bad.
    Reply With Quote Quote  

  6. Premier Field Engineer Everyone's Avatar
    Join Date
    May 2011
    Location
    Illinois
    Posts
    1,644

    Certifications
    Security+
    #5
    Quote Originally Posted by RoyalTech View Post
    I have heard that if a user is using an administrator account, the account receives two SIDs. One of them is for a standard user account and the other for the admin account. The user is not granted the escalated privileges of the administrator account until they do something that actually requires those privileges. If I am correct (and I don't know if I am)
    You are NOT correct.

    An account only maps to a single SID. Can't map to more than 1. Also, SIDs must be unique within the authority in which they are used.
    Reply With Quote Quote  

  7. Member
    Join Date
    Feb 2012
    Location
    Thousand Oaks, CA
    Posts
    92

    Certifications
    A+, Network+, Security+
    #6
    I could've sworn I had seen this in some article but since I can't find it, I can't argue it. More than anything, I now want to know what the hell I was looking at to get that idea. If I find it again, I'll definitely post it. Regarding the other reasons stated, I can understand those. I was concerned more with the idea of separate standard and admin accounts based on what I thought I had seen and not on separate admin accounts as was mentioned. Those sound perfectly logical.
    Reply With Quote Quote  

  8. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,775

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #7
    This would be news to me. AFAIK what Everyone says is correct; one SID per account. The only exception I can think of is if a security principal moves from one domain to another. At this point a new SID will be generated. I can't remember the exact name but there's a property on that object that retains the history of those previous SIDs
    Reply With Quote Quote  

  9. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,597
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #8
    Better to only escalate to Administartor to run specific processes with Administrator privileges and never actually log on to an administrator account--unless there's something you need to do that can't be done otherwise. People tend to stay logged in as Administrator for too long, and then they start running apps that don't need to run as admin, such as email clients and Web browsers, and then problems can really start.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  10. Senior Member ChooseLife's Avatar
    Join Date
    Feb 2011
    Location
    runlevel 3
    Posts
    926

    Certifications
    BCSc Network Security, VCP, MCSA:Sec, CCNA:Sec, GIAC GSEC, Sec+, ITIL-f
    #9
    I hope this clears things up a little:

    User Account Control - Wikipedia, the free encyclopedia
    When logging into Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token, resulting in a reduced privilege environment even under an Administrator account. When an application requests higher privileges or "Run as administrator" is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.[5]
    What's New for Access Control in Windows Server 2008

    When a user who is a member of the Administrators group in Windows® XP or Windows Server 2003 logs on to a computer, that user's token contains the Administrators group SID, and the user has the same permission as the Administrators group. In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny access—in other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one.

    If UAC is disabled, then a user who is a member of the Administrators group has a token containing the Administrators group SID.
    Reply With Quote Quote  

  11. Registered Member Darril's Avatar
    Join Date
    May 2009
    Location
    Virginia Beach, VA
    Posts
    1,569

    Certifications
    MCT, A+, Net+, Security+, CASP, SSCP, CISSP, MCSE, MCITP...
    #10
    There are actually two intersecting topics here - SIDs and access tokens.

    On Windows systems before Windows Vista/Server 2008, each account has a single access token and a single SID.

    On newer systems (Windows Vista, Windows 7, Server 2008, Server 2008 R2 systems) there are two types of accounts - standard user accounts and administrator accounts. A standard user account has a single access token and a single SID. An administrator account has two access tokens and a single SID.

    If a Windows 7 user is logged on with the administrator account, the standard user access token is normally used. If the user tries to do something requiring administrative access, UAC intervenes and requests approval. If the user approves, the user's administrator access token is used.

    If you have an administrator account on Windows 7, try this. Start a command prompt normally and enter whoami /all. Notice that the Administrators group is used for deny only.

    Next start a separate command prompt with administrative privileges (right-click and select Run As Administrator) and enter whoami /all. This shows you have one SID (the same as the first window) but you have more privileges in the second because administrative privileges are not denied.

    Best practices dictate administrators use two accounts, one for regular use and one for administrator use and several posts give good explanations for this.

    However, think of a single home user running Windows 7. The first account created when Windows is installed is an administrator account that most users will normally use throughout the lifetime of the computer. The two access tokens used with UAC protects the user without requiring the user to understand the risks.

    HTH
    Reply With Quote Quote  

  12. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,597
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #11
    That is a very nice feature. It took MS until Vista and 2008 to provide a solution whereby the admin didn't need to constantly log in/out of accounts just to elevate to Administrator access? What about the "Run As Administrator" context menu item and check box in Windows XP?
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  13. Member
    Join Date
    Feb 2012
    Location
    Thousand Oaks, CA
    Posts
    92

    Certifications
    A+, Network+, Security+
    #12
    ChooseLife and Darril got it. That's what I was thinking of when I initially posted. I just made the mistake of thinking it was SIDs instead of Access Tokens. I understand the reasons behind using multiple accounts for administrators, I was just having a little trouble with what I thought was provided with Access Tokens in Vista and 2008. It had sounded to me as though it made the need for additional accounts unnecessary. Obviously, I was a little off on what I remembered.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks