A compromised privileged account can give an attacker virtually unfettered access to the IT environment. Here are nine tips for security them.
Privileged account management is one of the most critical components of any enterprise security strategy. Cybercriminals prize privileged account credentials because they provide administrator-level access to servers, security systems, network devices, applications and other resources.
Hackers who obtain these “keys to the kingdom” gain virtually unfettered access to an organization’s systems and data. A Microsoft study found that Insufficient privileged access controls and lateral movement play a role in 93 percent of ransomware attacks.
There’s a common misconception that privileged accounts are only those that enable the highest levels of access — for example, domain controller credentials in a Microsoft environment. However, “privileged” simply means that the user (human or machine) can take administrator-level action on a system. Any admin rights, even at the workstation level, pose significant cybersecurity risks.
Types of Privileged Accounts
These seven types of privileged accounts are present in most environments.
- Domain administrator accounts give administrators access to all network resources — domain controllers, servers and workstations. This is the holy grail for hackers and therefore requires the highest levels of security.
- Emergency access accounts prevent administrators from being locked out of a system. These highly privileged accounts are not assigned to specific individuals and are only meant to be used when necessary.
- System accounts are created by operating systems when they are installed. They allow the user to add users, change permissions, install software and more. The “root” account in Unix or Linux is an example of a system account.
- Service accounts are used by applications and services, rather than human administrators, to run various processes and scheduled tasks. Many organizations neglect to establish controls over the resources a service account is allowed to access.
- Application accounts enable applications to run scripts and access databases and other applications. The credentials for application accounts are often embedded in the software in plain text.
- Local administrator accounts give administrator-level access to a local machine. IT staff use them to set up new workstations and perform maintenance. Individual users may also be given administrator privileges on their workstations.
- Privileged user accounts are any other type of account that gives the user privileges greater than a standard account.
Best Practices for Privileged Account Management
Best practices for privileged account management are well established:
- Maintain separate credentials for each administrator.
- Enforce policies requiring strong passwords and multifactor authentication.
- Rotate passwords and authentication keys regularly.
- Adopt a least-privilege access policy, in which users are granted only the privileges needed to do their jobs.
- Strictly limit local admin privileges and use just-in-time access to enable local admin privileges as needed.
- Apply separation of duties principles to privileged account management, requiring more than one person to grant, provision and manage privileges.
- Regularly review and update user privileges to ensure they align with roles and responsibilities.
- Promptly remove unneeded or inactive user accounts.
- Continuously scan for compromised passwords.
Challenges of Privileged Account Management
Microsoft learned in January 2024 the risks of ineffective privileged account management. Hackers gained access to an unused test account through a password spraying attack. The account provided the hackers with sufficient privileges to exfiltrate emails and documents.
The Microsoft hack underscores the difficulty of managing privileged accounts. Under pressure to keep systems running and perform day-to-day maintenance tasks with limited resources, administrators are reticent to add another layer of complexity to their operational processes.
Often, the problem is magnified by:
- Service accounts that are created and exist without a process.
- Privileged groups with members who should not be there.
- Orphaned accounts with undue privileges.
- Lack of ownership in establishing a cleanup process.
Steps to Securing Privileged Accounts
Organizations should start by taking an inventory of all privileged accounts and which users can access them. The next step is to understand the level of access required by various users and roles and establish policies based on those requirements. Granting full administrator access should be the rare exception rather than the rule.
Most organizations recognize the risks associated with poor privileged account management. They just don’t have the time, resources or know-how to address the problem. A qualified managed security services provider can help organizations develop a strategy for managing privileged accounts and implement the right processes and technology to keep them secure.
