There's a threat lurking in the dark that many companies are unaware of. They’re called shadow admins, and if their accounts are compromised, the consequences can be significant.
As a Miami cybersecurity company, we know the hidden dangers of shadow admins all too well. It’s important for organizations to know what they are and how to handle them.
What is a Shadow Admin?
Shadow admins are user accounts that have sensitive privileges but aren’t members of admin Active Directory groups like:
- Enterprise Admins
- Domain Admins
- Administrators
- Schema Admins
Instead, they were granted their administrative privileges through a direct assignment of permissions. These accounts may be given a number of permissions:
- Write All Properties
- Full Control Rights
- Write Member
- Write User
- All Extended Rights
- Change Permissions
- Reset Password
Let’s look at an example of a shadow admin account.
For example, let’s say that Lisa is a Domain Admin and has domain admin access to the Active Directory. Joe isn’t a member of the Domain Administrators Group, but he has the ability to reset Lisa’s password. If Joe resets Lisa’s password, he can then log in as Lisa and start performing tasks that require Domain Admin privileges. Joe’s account is a shadow admin.
How are Shadow Admins Created? How Can They Be Identified?
Shadow admins can wind up on a network for a number of reasons.
- They may have been created for temporary use, but their permissions were never removed. For example, IT may have granted an account the temporary privilege of resetting passwords with the intention of removing them later. That privilege was never removed, creating a shadow admin account in the process.
- Human error. Sometimes, shadow admins are created accidentally or because an inexperienced administrator doesn’t understand the implications of admin privileges.
Regardless of how they got there, shadow admin accounts pose a threat to any organization.
Unfortunately, they can also be difficult to identify. First, you have to identify all of your administrators. Some are obvious, but others are not. It’s not uncommon for organizations to have different administrative groups for different purposes or to have nested groups.
Once you’ve done the hard work of identifying all administrators, the next tricky task is to analyze Access Control Lists (ACL) permissions granted to accounts. This task is difficult, if not impossible, to do manually and is best left to a professional cybersecurity company in Miami.
Why are Shadow Admin Accounts a Cyberthreat?
Hackers love shadow admin accounts. Why? Because they have the permissions necessary to advance their attack, but they’re generally under the radar. These accounts aren’t as high-profile as a Domain Admin or other admin group accounts, so they’re easily overlooked as targets.
Hackers can take over a shadow admin account and inadvertently gain access to higher-level accounts. A great deal of damage can be done before anyone even realizes what happened.
Shadow admin accounts are typically left unsupervised, so if they become compromised, they can wreak havoc on an organization.
It’s in the best interest of every organization to identify and address shadow admins before this vulnerability is exploited and escalates into a costly cyberattack.