Remediating root access violations

Root access orphans are one type of root access violation. But in addition, any authorized key that belongs to a root (or administrator) account and has a corresponding private key can be considered a root access violation. However, this depends on your organization's folders regarding root accounts.

In some studies, it has been shown that nearly ten percent of all SSH user keys allow root access. And some organizations assign the same SSH host key to hundreds or even thousands of devices, leaving their networks open to man-in-the-middle attacks.

As a general guideline, root accounts at the server level should be avoided or kept to a minimum. This is because a user who can gain root account access can wreak havoc on your data.

To fix root access violations

• Remove authorized keys that have root access.

  See Removing SSH keys.

To restrict root access violations via policy

• If your organization's security folders restrict root access, then you can configure a policy to avoid them.

  For information about how to restrict root access, see Configuring SSH folder options.

What's next?

After completing steps to remediate root access violations, use one or all of the following methods to check the results of your changes:

• Go to the device where the root access keys were located; you can get there by clicking Inventory > Devices.
• Check the Critical Alerts widget on the SSH Keys Dashboard.
• From the SSH Keyset Inventory page (Inventory > SSH Keys) open the keyset Details view and verify from the Status column.