When are user accounts actually admin accounts?

Under Cyber Essentials, there are various controls that are related to administrative accounts and their use, writes Cyber Security Technologist Tyson McGuirk. The scheme makes it very clear that user accounts and admin accounts should be separate and only used for their intended purpose.

Admin accounts have access to additional permissions and services that would be able to cause significantly more damage than a regular user account if compromised.

Users must keep email access away from admin accounts. Imagine clicking on a malicious program that had the ability to turn off the virus checker, access all your files, and install further malicious programs onto your device. Clicking on the same link as a standard user reduces the damage as many of the bad things attempted would require elevated privileges.

As various additional permissions can be granted to a user account, it can be confusing to know when the line is crossed in deciding when a user account becomes an admin account – especially when trying to apply the correct controls for Cyber Essentials certification.

In the NCSC’s Cyber Essentials Requirements for IT Infrastructure, an admin account is defined as an account that would allow the user to do the following:

  • Execute software that can make significant and security related changes to the operating system.
  • Make changes to the operating system for some or all users
  • Create accounts and allocate privileges

If an account met any of these criteria, then this would be classified as an Admin account under Cyber Essentials and the relevant controls for admin accounts would need to be applied.

This is applicable to all accounts including cloud accounts. For example, if you were working within an IT department and had an account within Office365 that was able to create and manage users, it would be expected that you would have a separate day-to-day user account for your general use.