My principles are simple: Give the least privilege to accounts. Make the bad guys work for every toehold they get on your system. To that end, I do the following:
Root: Disabled. Use sudo. Sometimes you do not have the option to leave root disabled.
Admin Account: Usually created at installation time if you do not provide a root password. It depends on the distro, etc. The username for this account is never "admin" or "administrator" or anything guessable. If you have multiple administrators, do not let them share this account. Give each one their own, so that there is accountability for actions performed on the system. The admin account is used for system updates, maintenance, and backups; configuration changes; software installations, etc.
Unprivileged User Account: This is the account where the work gets done. Documents, media editing and creation, email, web browsing, messaging, etc. If you EVER see a prompt for the admin password when you are in this account, do not enter it. Ask yourself why it appeared. If necessary, login using the admin account and fix the issue there. Sure it is an extra step that annoys impatient people, but it keeps the two separate roles separate. You asked.
Backup Admin Account: On some systems, I keep a separate backup admin account. If something happens to the primary admin account, this account exists for emergencies, but is not normally used. I usually give it the same name as the admin account, with an "x" "y" or "z" prefix so that it ends up at the bottom of lists, out of the way. It sits there, dormant, just in case. In the last 20 years or so, I would guess that I have used it twice. Maybe.
Servers:
Unprivileged Remote Access Account: This is the only account that can login remotely (via SSH) on servers. It has no privileges and no files and nothing gets done here, except su to the working account. Set SSH to public key authentication only, no root login, and AllowUsers to this account. I switch SSH away from port 22. The choice of well-known port (lower than 1024) or a random high port is a risk/value judgement. The port change is "security by obscurity" (no real security) and is more about eliminating the noise in log files, etc.
This arrangement means that if I want to do administrator work on servers, I must connect to the unprivileged remote access account, then su to the unprivileged user account, and finally su to the admin account to do that work. In the admin account, "sudo" is needed for many actions. (Do I use sudo -s or -i? Sure, if I have lots of consecutive sudo commands to type. Otherwise, no.)
I can read your mind - "What a pain in the @#$@1!@#!!!! ") Well, yeah. I get it. Not your thing? Okay. I am not forcing you to do anything. Don't shoot the messenger.
Attackers may be forced to perform the same actions through privilege escalation, and they do not know the long, strong, random passwords that you generated for those accounts. (Yes, I know that sometimes they "pwn" your system in one privilege escalation straight to root.) You must decide for yourself if the inconvenience is worth the benefits. Honestly, I think it is more about annoyance and staying disciplined that upsets others rather than time/efficiency issues. I have been following this practice for many decades and it hasn't slowed me down much. It works for me. Some of the same people who complain about inconvenience and inefficiency will spend hours and hours customizing their desktops while my work was turned in a long time ago. :-(
|