5 Tips to protect the Root account

Like systems running Windows have an account named Administrator, Unix systems have their equal named “root”. This user with user id zero (0), have unlimited access to the system. Most applications implementing user access controls, apply a “backdoor” to allow this root user always access. This applies to access data, killing processes, starting kernel modules and more.

Tips to protect the root user

Since the root user has unlimited access to the system, it make sense to protect this account carefully. Here are some tips..

1. Make it difficult

If you honestly care about your system security, then apply proper password rules to your root user account. Make sure it is long enough, have different character types and when possible even randomized.

2. Different password per system

You should avoid reusing passwords as much as possible. Especially with this administrative account, don’t repeat either.

3. Change it regularly

Use some tooling to change the password for each system on a regular basis. For example have one machine create random passwords, SSH into each machine and adjust the password. Then store the newly created passwords in a digital safe. Optionally with a hard-copy for you, or your manager.

4. Use need-to-know principle

Do really all system administrators need the root password for every machine? Or is it sufficient to apply a digital vault, in which a root password can only be accessed when really needed? If so, implement sudo and restrict passwords to a need-to-know basis.

5. Monitor misuse

People are lazy human beings. While you should be able to do your work activities, there is no excuse for compromising security just because it was “easier to work”. Monitor when and why the root user account is used.