Overview#

Managing Privileged Accounts#

Recently when working with a client there was a scenario where some "White-Hat" hackers who already had full administrative access to a machine and possessed many specialized tools was able to obtain the credentials of another administrator.

Now to be clear, the organization already was:

  • using separate administrative accounts for each user.
  • the administrative accounts were separate from the user's non-administrative account
  • administrative accounts had a password expiration policy that was enforced.

What was Done#

There was a decision to:
  • reduce the access to the Microsoft Active Directory team's accounts less than "Domain Administrators"
  • place "all" "Domain Administrators" access within a check-out Privileged Account Management system.

The organization already had a Multi-Factor Authentication application in place and it was suggested that this be used instead.

Conclusion[1]#

Organizations can substantially benefit by having a process in place for the use and management of administrative privileges. A robust process for the management of administrative privileges includes:
  • Providing clarity on what administrative privileges are necessary
  • Minimizing the use of shared administrative accounts
  • Having a method of being able to verify the privileges associated with each account
  • Having a method of reliably controlling and monitoring the use of account privileges

Not only will having a robust process for the oversight of administrative privileges bring peace of mind to management, it will also provide organizations with better security. Developing a robust process for the management of administrative privileges involves first developing policies for administrative privilege use and then determining the appropriate mechanisms to enforce those policies.

More Information#

There might be more information for this subject on one of the following: ...nobody

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 27-Mar-2016 12:47 by jim