Back in the day it was the practice of system administrators to grant every new user account supervisor rights. That way they could guarantee that it wasn’t the network or these new fangled file permissions that was causing the software application to fail. The diligent administrators would carefully allocate time to go back and work with the developers to remove layers of access from said user accounts until the application would work without the user being burdened with an account that could wreak as much havoc across the network as an untrained sysadmin.
Those days, or to be more accurate, that attitude, is still apparent in many organisations. Giving ‘admin rights’ to a user is a practice that is still prevalent, mainly one suspects because it makes the job of the IT department (or IT guy) that much easier – in the short term. And surprisingly there is still software around that won’t run unless operating under a privileged account.
This is the simple stuff. If you want to complete the audit you should check how much server software runs in the admin account, or worse still in the named account of your sysadmin. Let’s hope they don’t leave. Let that practice of escalated privilege become common knowledge and you’ve made it one step easier for unwelcome guests, or disgruntled employees, to run riot with your systems, your files and your data. Lock it, or lose it.