Excessive Admins
Definitions
In a source code management (SCM) tool, an administrator is an account that possesses elevated privileges and permissions to manage and govern the tool's functionality, configurations, and resources. Administrators typically have broader control and access rights compared to regular users or developers.
Arnica classifies admins as accounts with either organization-wide permissions (e.g. Organization Owners on GitHub or Project Collection Administrators on Azure DevOps) or repository-specific administrative permissions (e.g. Repository Admin on GitHub).
Risks
The risks associated with excessive administrative permissions to source expose are:
Source code exposure: Administrators have full access to all source code, potentially sensitive data, and secret keys within the repository. If the administrator's account is compromised, all of these can be exposed to unauthorized users. This could result in the leaking of proprietary algorithms, unannounced features, or internal systems that could give competitors an edge, or worse, be exploited by malicious actors.
Accidental or malicious alterations: Administrators have the power to alter and delete source code. Accidental changes or deletions can lead to major disruptions in the development process, system outages, or the loss of critical code if not properly backed up. On the other hand, a malicious actor with administrative privileges can intentionally introduce vulnerabilities or harmful code into the system.
Historical data loss: Administrators can alter or remove historical source code data. This could hinder the process of code reviews, audits, and any legal investigations that might require historical data. It could also impede the process of rolling back to an earlier version of the code in case of an emergency.
Privilege escalation attacks: An attacker with limited access to the system might try to gain elevated privileges, which are usually given to administrators. If successful, the attacker could access sensitive sections of the code, create backdoors, or insert malicious code into the application.
Bypassing development procedures: Administrators could potentially bypass established development and deployment procedures, such as code reviews and tests. This could lead to untested or vulnerable code being deployed, potentially leading to system instability or exposure to attacks.
How excessive permissions are detected?
Arnica ingests the audit trail for each organization and builds a behavioral graph between each account and asset in the SCM tool. Based on this graph, Arnica looks for the lack of expected administrative activity for the relevant asset within a given time frame.
How to change the excessive permissions logic?
To configure the time frame for excessive administrator permissions, go to the Policies page under the Admin section and adjust the permissions definitions settings.
By default, the duration of inactivity required for a permission to be deemed excessive is 90 days, and permission must have been granted longer than 14 days ago.
How to mitigate excessive permissions?
Arnica mitigates excessive admin permissions by analyzing the identities prior activity history and determining the permissions required for its highest activity. The Identityโs permissions are then reduced to the most applicable permission.
Each SCM tool has different mitigation logic. For example, Arnica reduces excessive GitHub repository admin permissions to either Maintain or Write permissions for the relevant repository. If the permission is granted through a Team, Arnica will automatically reduce the permission of this Team and grant individual permissions to the active admins, so that group membership will not be impacted.
Mitigate excessive admins on GitHub
Navigate to the Git Posture page and select Permissions.
Ensure the page is focused on Excessive Organization Owners or Excessive Repository Admin Permissions.
Review the excessive permissions and click on the Mitigation Details button. A dialog will be opened to review the changes, which include the impacted asset (organization or repository), mitigation action (reduce to Maintain or Write), users who will lose the Admin permission and users that will keep it.
Review the change and click on Mitigate.
The mitigation will be recorded and managed in the Mitigations page.
Mitigate excessive admins on Azure DevOps
Navigate to the Git Posture page and select Permissions.
Ensure the page is focused on Excessive Admin Permissions.
Review the excessive permissions and click on the Mitigation Details button. A dialog will be opened to review the changes, which include the impacted organization, mitigation action (e.g. remove users with excessive permissions from Project Collection Administrators group and add to other applicable group), users who will lose the Admin permission and users that will keep it.
Review the change and click on Mitigate.
The mitigation will be recorded and managed in the Mitigations page.
Last updated