Shadow Admins have long been a hidden cybersecurity risk, quietly existing in many IT environments, often unbeknownst to IT teams. They are users that aren’t part of recognized Active Directory (AD) administrative groups, such as Domain Admins, Enterprise Admins, Schema Admins, Administrators, and the like, yet they possess administrative privileges that allow them to wield a significant level of control within an organization’s IT infrastructure.
The Nature of Shadow Admins
At first glance, a shadow admin may seem like a regular user. But a closer look reveals they have administrative capabilities that can include Full Control Rights, Write All Properties, Reset Password, All Extended Rights, Change Permissions, Write Member, Write Owner, and even ownership of user groups or individual users. Moreover, anyone who can take control of a shadow admin account, regardless of their initial level of access, also becomes a shadow admin.
Origins of Shadow Admins
Shadow admins can emerge from various scenarios:
- Human Error or Mismanagement of User Rights: Inexperience or misunderstanding the implications of privilege assignments can inadvertently create shadow admins. Even without malicious intent, such accounts can present a significant risk by granting unauthorized access to sensitive assets.
- Temporary Use that Becomes Permanent: Sometimes, IT administrators might confer temporary privileges to solve immediate problems, unintentionally turning regular users into shadow admins. The real issue arises when these elevated privileges aren’t rescinded, resulting in accounts with unsupervised administrative access.
- Stealthy Activity by Adversaries: Once attackers gain admin privileges, they can create shadow admin accounts for persistence and to conceal their activities. These accounts can then hide malicious activities while the attacker remains covert.
Regardless of their origin, shadow admins pose significant risks due to the potential for unauthorized actions. Additionally, their lack of monitoring and supervision means that unauthorized access and changes might go unnoticed until it’s too late.
Identifying Shadow Admins: A Complex Problem
Finding shadow admins is a convoluted task. The first step is to determine who the official administrators are by identifying users in AD groups that confer administrative privileges. While some groups, like Domain Admins, are obvious, others may be created for specific business purposes and can contain nested groups.
This step, while important, is insufficient for identifying all privileged accounts because it does not consider shadow admins. The next step is to examine Access Control Lists (ACLs) permissions assigned to each account.
However, manual analysis of ACLs is practically impossible due to the complexity of these configurations. Even if one manages to conduct this analysis, it only reveals the first level of shadow admins. The process has to be repeated to determine who has privileges over these first-level shadow admins, creating a never-ending chain of analysis.
The Need for Automated Solutions
Given the complexity and enormity of the task, manual analysis to detect shadow admins is a daunting, if not impossible, task. Furthermore, if a shadow admin group is found, the complexity increases exponentially.
Automated solutions are therefore paramount to efficiently and effectively detect and manage shadow admins. Automated solutions can continuously monitor user rights and permissions, thereby helping to identify and remediate any potential shadow admin accounts.
The reality of shadow admins underscores the importance of diligent management of user rights and ongoing auditing of permissions. While the threats shadow admins pose can be significant, a proactive approach to their identification and management can go a long way toward mitigating the risk.