System Administration: Inheriting Legacy Systems

Many of us who have worked as system administrators have had the privilege of inheriting established systems that have been in service for many years – some with no end of life in sight. If you are one of the lucky ones who are using a well-oiled machine that might be older than Methuselah, have you considered that your predecessor may have been facing different security challenges than today? For instance, I recall working on an IBM AS/400 (better known today as the IBM i). When I reviewed the security settings, I realized that the minimum password length was setup for convenience of the users with only 7 minimum characters. Using today’s technology, a short password with no other protection layers in place (e.g., multi-factor authentication) can be cracked in less than a minute†. So, I made the change and proceeded to dive further down the rabbit hole.

The next thing I discovered was that the user sessions were set to never expire, with some having been active for over a month. This meant that if a threat actor was using compromised credentials, they had a direct line to our core business system for an indefinite amount of time. Again, I made the change and dove even further.

My most interesting find was when I decided to test out default administrative credentials. As I was in the world of IBM, I searched the online IBM docs for those delivered with my system, and sure enough, not a one had been changed. Some accounts had only minimal access rights, but others had far more permissive settings. In fact, one of them had the ability to effectively lock a legitimate administrator out and commandeer the entire system!

Upon fixing this, I decided to bring my findings to our supervisor and asked the question – “have we reset every device’s default admin credentials”? After sifting through countless devices such as routers, switches, virtualization platforms, etc., we found those provisioned before our time in service were the culprits. Changes were made swiftly after testing confirmed the safety to do so.

Having effectively become an Aesop’s Fable, the moral of this story is if you are the recipient of an established system, be certain to go back through and confirm that system-delivered (i.e., default accounts) passwords have been changed. This is an easy mistake to make by even the most seasoned veterans, but thankfully an easy issue to remediate. Fortunately, many newer enterprise systems, whether we're talking about firewalls, applications, or operating systems, force "first use" changes of passwords or establishment of new credentials at initial start-up. But it should not be assumed that was the case for legacy systems. It is also important to assess authentication controls after an employee with administration capabilities leaves your company, and even more so if that employee was subject to involuntary termination.

†https://www.hivesystems.io/password-table

Authored by: Ben Caruso