Preventing Privilege Escalation

Instructor: Lyna Griffin

Lyna has tutored undergraduate Information Management Systems and Database Development. She has a Bachelor's degree in Electrical Engineering and a Masters degree in Information Technology.

In this lesson we will learn the definition of privilege escalation, the activities that comprise the attack and the different methods system administrator can employ to secure prevention.

What Is Privilege Escalation?

A privilege escalation attack (PEA) is all about acquiring unauthorized system rights. It is illicit intrusion on a system, application or network in which the design flaws and program errors are exploited to attain elevated access to the programs and resources the system holds. A privilege is a security characteristic attributed to a user access level, needed to perform particular operations. Privilege escalation attacks occur not only from infiltration from outside the network but within the network as well. Authorized users of the system may try to attain increased privileges to gain access to areas or levels in the system network for which they are not authorized. They want access to areas and resources in a system beyond their assigned privileges. A user with limited user access privileges may seek the access privileges of another similar user (horizontal escalation), which is like having the key to another door in a house, or scale up his attack and seek super user/administrative user privileges (vertical escalation), which is like having the master key to the house.

In either case, these attacks are dangerous and can be extremely harmful to any system or program.

Prevention of Privilege Escalation

Protecting Running Services

Every application, program or system is run on services, which are software functionality tools used to execute operations. Most modern systems today are connected to the internet, a medium which unfortunately facilitates numerous remote system attacks. A system's services therefore comprise services that manage its internet connectivity as well as services that manage its core operations, be it a database or transaction processing. These services, which form the core functionality of a program or system, have access rights usually protected by system-specified privileges. In other words, without certain user access privileges these services cannot be run.

For example, an operation like running a routine system update or creating a new user may require administrative or super user access privileges. This means that a user with ordinary user level access privileges cannot run a system update. An intruder, on the other hand, who has gained access to super user access level privileges is at liberty to do anything anywhere within the system. Caution must therefore be taken to detect and rectify any flaws or errors running in system services that infiltrators can exploit to gain privilege escalations.

Privilege Separation

We have already established the importance of services in a system and their degree of risk when there is compromise. As such, measures must be taken to ensure adequate escalation protection by reducing the number of services running on special privilege accounts without compromising system functionality. This is called privilege separation. The services are separated into privilege and non privilege parts. In this instance the core functionalities are run outside specified privilege accounts which then translate to a denial-of-service attack on an intruder using escalated privilege access. If a service is not run on administrator or super user privilege access, then an intruder cannot run the service, as he does not know how the service is run. In short, keep the amount of code run with privilege access to a minimum.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account