The Dangers of a Root Account and Security

November 29, 2016 | Views: 3463

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I’m surprised I have not so far found an article addressing this to date. Should I be wrong, please advise.

Many users of moderate level computer knowledge tend to forget about the Root account, that first account made at the time of setting up a new pre-built laptop, PC or even a new OS install so you can get on with the fun of computing.

Here is a little checklist to follow when dealing with a new system, no matter what OS is the host and no matter the VM (Virtual Machine) is installed.

  1. Your first user should be the name of the computer itself, also do not allow any internet interface activation/updates (yes this will lengthen the process; however, it makes for a lot more security in the end outcome), for a computer name use something like (silly example) frogbarfx011, and once all installation processes are complete, log off! All we want to do here is install the software on the OS, this is the Root account that we need to disable after creating two more accounts. More than likely you’ll have to reboot once or twice.
  2. Log back into the Root account and find the User Account (sometimes named Groups) tab/page/link, as here we need to add an administrator and a standard user account. Set passwords or passphrases for both before you close them down after setup, and make sure they are at the very least 18 characters in length, including alphanumeric and special characters.
  3. Here’s the annoying part, you need to log in with the standard user account and do all of the software online updating crud by being harassed by requirements to keep inputting your Admin ID and password (system dependent).
  4. This is something I’m still trying to figure out, there are times that you absolutely must directly log in to the Admin account or even the Root account with regards to device driver updates and more sophisticated software actions.

 

I hope this helps others in their path of learning,

Cheawick

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
7 Comments
  1. This is just an off topic observation, but I want to thank those that commented here and admit that I could have written this article better. The input was encouraging and not hostile, critical yet not dismissive, and all seem heartfelt to help the Cybrary community.

    I’ve written nearly the exact same article on several sites and got blasted to cinders for it, even though I’ve made it very clear that I’m no professional (yet).

    I intend to rewrite this article, using your input, to try to replace this current one with a more solid cut and dry vision that addresses basic computer security.

    Please, keep the comments coming should you feel there is something that needs to be addressed here that was not covered.

    Thanks again, cheawick.

  2. i didnt really understood this post,what you are basically saying is that one must disable the root acnt but u didnt tell any genuine reasons.i have been using linux for like 10 years now.and when it comes to windows then admin acnt is disabled by default in windows version from vista and above .

    • Sorry for the very overdue reply and thank you for the input, this will help me (if I write) other articles in the future.

      The two main reasons for de-elevating (not disabling as there are times you MUST use a root account) are to help prevent backdoor program installs and to make it harder for rootkits to sneak themselves into your system.

      In Windows the admin root account is not disabled (nor de-elevated) by default no matter what version you run. Should you be a gamer using Nvidia MSI graphics components and software on a Windows system and have indeed established my recommended account creations, you will notice that when running the admin account you will never be asked by the UAC for permission and password to run the three application suite programs at login. However, logging in with either the de-elevated root or standard user account will require the user to enter admin permission and password. An even simpler test for a Windows user is to try to defragment a disk drive, standard accounts can’t do it with out the UAC jumping up in your face for the permission and password.

      I hope that helps and if I didn’t fully answer your question please let me know.

  3. Thanks for the guidelines, there are cases where you are to give sudo access to some user accounts and yet you do not want them to run all commands except specific commands as sudo users. Any suggestion on how to achive this? Thanks

    • You are most welcome MINDRAPHILL. While I’m not new to Linux or Unix, I’m still not very good with the advanced commands and settings. My suggestion is based on dealing with such users as a Group with permissions specified by the object Group itself. Sadly while I know the theory of how to do this, I would advise you seek someone more knowledgeable than me for this Group creation and user assignment. I was only able to successfully do Groups and user assignments on Mac and Windows Pro/Server OS, Ubuntu Desktop/Server attempts have been unsuccessful so far, so I’d be much more comfortable if you could find others with more experience to guide you in this. Also, always remember that apps and OS can easily be reinstalled, but your data may be irreplaceable so before you go tinkering back it up and duplicate it (in my case it’s duplicated over 4 USB drives and 4 other computers, then synchronized every Friday with Unison).

      I wish you success in your endeavors!

    • I think you are slightly confusing the purpose of sudo (Super User Do). Sudo allows one user to run commands with the privileges of another user. By default this is normally assumed to be root but you can also use sudo with other accounts if you use the =u switch followed by the name of the user account eg. “sudo =u tomsaccount shutdown”.

      • Thank you CLIFFWILLIAMS, I have indeed run into trouble using “sudo” as a standard user while trying to use the attributes of another account, this is a tiny yet huge nugget of knowledge that will unlock many dead ends that I’ve run into. THANK YOU!!! =+D

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel