We've all known for a long time that unnecessary use of elevated privileges is a bad thing. You shouldn't be logged in as an administrator while surfing the Internet or checking your email; in particular, you shouldn't do that stuff while logged onto a server as an admin. Your organization shouldn't have too many enterprise admins, domain admins, or server admins. We all have that.
But recently I came across a large shipping container client on the Asia-Pacific rim that literally had thousands of application administrators. They have thousands of applications, many of which have hundreds of administrators; in fact, for some of those applications, every user was an administrator. In most of those cases, I'm referring to normal user accounts (not an OS or network admin account) that had the highest-level application privileges.
The most popular applications at this shipping company have many thousands of users, so at first having roughly 10 percent of your users operating as administrators may not seem like that big a deal. But users should always be lowest privilege level, and having an excessive number of application administrators is as bad as having too many OS administrators. Perhaps it's even worse.
Every additional administrator causes linear-to-exponential growth in risk. Every additional admin doesn't just increase his or her own risk; if they're compromised, they add to the takedown risk of all the others. Each admin may belong to groups others do not. If a hacker compromises A and gets to B, B may more easily lead to C, and so on.
One big problem with too many application administrators is that application administrators rarely take the precautions that OS and network administrators do. Regular admins are now accustomed to using quarantined "jump" computers from more secure areas to do their admin work. They know not to surf on the Web or answer email using their elevated alternate credentials. They know to investigate and report possibly compromised computers. Application administrators tend to be much less clued in.
At this particular client, we found a significant minority of application administrators had been infected with malware over the last year. The number wasn't any different than that for the general population -- and that was exactly the problem. The company had significantly cut the number of OS and network administrators over the last year and had minimized the number of members in elevated groups. But no one had thought to do the same analysis on the application administrators (at least not until I came along -- that's why they pay me the big bucks).
Most bad guys are after systems and data. Even when they compromise the passwords of the entire domain and all the network administrators, what they are really after lies on application servers, which is why application administrators can do you in.