2 Acct Requirement for Admins

Darril's book discusses this as an account management policy. I have heard that if a user is using an administrator account, the account receives two SIDs. One of them is for a standard user account and the other for the admin account. The user is not granted the escalated privileges of the administrator account until they do something that actually requires those privileges. If I am correct (and I don't know if I am) then why is there a two account requirement for administrators in order to reduce the exposure to attack? Wouldn't that exist automatically if what I said is correct?

Find more posts tagged with

Comments

NotHackingYou

I think the user has to manually grant the privilege and supply the password, indicating they intend to take this action.

The way a lot of companies do it is that each IT member is given a standard user account like everyone else that they use to work daily. They have a separate account which has greater rights that they can use as needed. This way if their primary account (the one they use the most) is compromised, the risk is as small as possible.

paulgswanson

I think CarlSaiyed 's explanation is accurate. I for one have 3 different ID's for exact that purpose.

kriscamaro68

I have an admin account that is used for all desktop computers so that when I log in I have admin access. I also have an admin account for strictly server related access. Now the reason for this is if my laptop or someone elses laptop or desktop is stolen or compromised and they are able to crack my password then all they can do is access desktops and laptops. Keeping my server admin acct with higher level of access from being used on desktops and laptops now only gives the malicious user access to less harmful systems and not all the servers I deal with which would be really bad.

Everyone

RoyalTech wrote: »

I have heard that if a user is using an administrator account, the account receives two SIDs. One of them is for a standard user account and the other for the admin account. The user is not granted the escalated privileges of the administrator account until they do something that actually requires those privileges. If I am correct (and I don't know if I am)

You are NOT correct.

An account only maps to a single SID. Can't map to more than 1. Also, SIDs must be unique within the authority in which they are used.

RoyalTech

I could've sworn I had seen this in some article but since I can't find it, I can't argue it. More than anything, I now want to know what the hell I was looking at to get that idea. If I find it again, I'll definitely post it. Regarding the other reasons stated, I can understand those. I was concerned more with the idea of separate standard and admin accounts based on what I thought I had seen and not on separate admin accounts as was mentioned. Those sound perfectly logical.

cyberguypr

This would be news to me. AFAIK what Everyone says is correct; one SID per account. The only exception I can think of is if a security principal moves from one domain to another. At this point a new SID will be generated. I can't remember the exact name but there's a property on that object that retains the history of those previous SIDs

JDMurray

Better to only escalate to Administartor to run specific processes with Administrator privileges and never actually log on to an administrator account--unless there's something you need to do that can't be done otherwise. People tend to stay logged in as Administrator for too long, and then they start running apps that don't need to run as admin, such as email clients and Web browsers, and then problems can really start.

ChooseLife

I hope this clears things up a little:

User Account Control - Wikipedia, the free encyclopedia

When logging into Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token, resulting in a reduced privilege environment even under an Administrator account. When an application requests higher privileges or "Run as administrator" is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.^[5]

What's New for Access Control in Windows Server 2008

When a user who is a member of the Administrators group in Windows® XP or Windows Server 2003 logs on to a computer, that user's token contains the Administrators group SID, and the user has the same permission as the Administrators group. In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny access—in other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one.

If UAC is disabled, then a user who is a member of the Administrators group has a token containing the Administrators group SID.

Darril

There are actually two intersecting topics here - SIDs and access tokens.

On Windows systems before Windows Vista/Server 2008, each account has a single access token and a single SID.

On newer systems (Windows Vista, Windows 7, Server 2008, Server 2008 R2 systems) there are two types of accounts - standard user accounts and administrator accounts. A standard user account has a single access token and a single SID. An administrator account has two access tokens and a single SID.

If a Windows 7 user is logged on with the administrator account, the standard user access token is normally used. If the user tries to do something requiring administrative access, UAC intervenes and requests approval. If the user approves, the user's administrator access token is used.

If you have an administrator account on Windows 7, try this. Start a command prompt normally and enter whoami /all. Notice that the Administrators group is used for deny only.

Next start a separate command prompt with administrative privileges (right-click and select Run As Administrator) and enter whoami /all. This shows you have one SID (the same as the first window) but you have more privileges in the second because administrative privileges are not denied.

Best practices dictate administrators use two accounts, one for regular use and one for administrator use and several posts give good explanations for this.

However, think of a single home user running Windows 7. The first account created when Windows is installed is an administrator account that most users will normally use throughout the lifetime of the computer. The two access tokens used with UAC protects the user without requiring the user to understand the risks.

HTH

JDMurray

That is a very nice feature. It took MS until Vista and 2008 to provide a solution whereby the admin didn't need to constantly log in/out of accounts just to elevate to Administrator access? What about the "Run As Administrator" context menu item and check box in Windows XP?

RoyalTech

ChooseLife and Darril got it. That's what I was thinking of when I initially posted. I just made the mistake of thinking it was SIDs instead of Access Tokens. I understand the reasons behind using multiple accounts for administrators, I was just having a little trouble with what I thought was provided with Access Tokens in Vista and 2008. It had sounded to me as though it made the need for additional accounts unnecessary. Obviously, I was a little off on what I remembered.