Managing Privileged Accounts#Recently when working with a client there was a scenario where some "White-Hat" hackers who already had full administrative access to a machine and possessed many specialized tools was able to obtain the credentials of another administrator.
Now to be clear, the organization already was:
- using separate administrative accounts for each user.
- the administrative accounts were separate from the user's non-administrative account
- administrative accounts had a password expiration policy that was enforced.
What was Done#There was a decision to:
- reduce the access to the Microsoft Active Directory team's accounts less than "Domain Administrators"
- place "all" "Domain Administrators" access within a check-out Privileged Account Management system.
The organization already had a Multi-Factor Authentication application in place and it was suggested that this be used instead.
- Providing clarity on what administrative privileges are necessary
- Minimizing the use of shared administrative accounts
- Having a method of being able to verify the privileges associated with each account
- Having a method of reliably controlling and monitoring the use of account privileges
Not only will having a robust process for the oversight of administrative privileges bring peace of mind to management, it will also provide organizations with better security. Developing a robust process for the management of administrative privileges involves first developing policies for administrative privilege use and then determining the appropriate mechanisms to enforce those policies.