10 Steps to Better Windows Privileged Access Management

Derek A. Smith, Founder, National Cybersecurity Education Center
September 5th, 2018

If you’d rather listen/watch than read, get this information through my on-demand webinar, “10 Steps to Better Windows Privileged Access Management”.
watch now

It seems like almost every day we hear of a new data breach, and each time you read about someone else’s breach you are thankful it wasn’t your company or organization that it happened to. But how long can you dodge the breach bullet? You don’t want to be the next headline, but what can you do to ensure that you aren’t?

The commonality in virtually every breach is that somehow, someone who shouldn’t have had access to your company’s system and data sources obtained access. The bad guys are smart, creative and motivated, and they will use even the smallest opening in your defenses to access your IT resources.

So how do you defend yourself against these relentless attacks? Well, I have some tips to share a little later that might help.  But first, let’s talk a little about one of the main ways breaches occur, and that is through bad guys obtaining your administrative credentials.

In this article, I will discuss Windows privileged accounts, and most breaches to these accounts occur when someone obtains the administrative credentials that come with every Windows-based system. In order to run Windows servers, there must be a system account that provides the high-level access required to set up, maintain and operate the system.

If these accounts are somehow shared or compromised, it increases the risk to your Windows systems, and a breach is more likely to occur.  Whoever has these credentials essentially becomes an “insider” of your organization and can operate with little-to-no oversight.   These accounts are so important that bad guys will pull out all the stops to get their hands on them.

First, I want to make sure you understand what privileged access is. Privileged access management (least privilege management) is the creation and enforcement of controls over users, systems, and accounts that have elevated or “privileged” entitlements.  An example is your Windows Active Directory accounts. While the creation of these accounts is often governed by companies, the use of these accounts is far too often shared across multiple individuals within the company. These are commonly referred to as shared accounts.

Many breaches occur because of compromised privileged accounts. External hackers and insider attackers seek out and exploit shared or privileged accounts because of the entitlements they hold as “keys to the kingdom.” Microsoft Windows privileged accounts include admin accounts, Active Directory service accounts, and domain admin accounts.  These accounts are highly targeted due to their broad access and privileges on Window Servers.

Privileged accounts exist in many forms across an enterprise environment, and they pose significant security risks if not protected, managed and monitored. The types of privileged accounts typically found across an enterprise environment include:

  • Local administrative accounts: non-personal accounts which provide administrative access to the local host or instance only
  • Privileged user accounts: named credentials which have been granted administrative privileges on one or more systems
  • Domain administrative accounts: privileged administrative access across all workstations and servers within the domain
  • Emergency accounts: unprivileged users with administrative access to secure systems in the case of an emergency and are sometimes referred to as ‘firecall’ or ‘break glass’ accounts
  • Service accounts: privileged local or domain accounts that are used by an application or service to interact with the operating system
  • Active Directory or domain service accounts: allow password changes to your accounts among other things.
  • Application accounts: used by applications to access databases, run batch jobs or scripts, or provide access to other applications

It’s important for you to manage privileged access in Windows because undiscovered and unprotected Windows privileged accounts and vulnerable endpoints are everywhere on servers and desktops throughout organizations worldwide. They represent one of the most significant attack surface vulnerabilities of IT systems. An attacker, or even a local malicious user, browsing around on a workstation they have administrator access to might be able to discover their own local administrator password.  This, of course, is a major security issue.

Now here is the meat of this article – why we are here.  Let’s talk about how privilege access management makes windows more secure.  I recently read that more than 90% of ALL Microsoft vulnerabilities could be mitigated by removing or better-controlling admin rights.

Protecting against the hacking of privileged accounts is difficult.  Eliminating your privileged accounts is out of the question as they essential to the functioning of the business. Since these accounts cannot be eliminated, you make sure these accounts are secure. Unfortunately, the management of privileged accounts is complicated and is difficult to automate. But, privileged access management (PAM) solutions can help solve privileged access problems in your Windows environment. The goal of PAM is to reduce opportunities for malicious users to gain access while increasing your control and awareness of the environment. PAM makes it harder for attackers to penetrate a network and obtain access to sensitive accounts and data. Privileged access management:

  • Adds protection to privileged groups that control access across a range of domain-joined computers and applications on those computers
  • Adds more monitoring, more visibility, and more fine-grained controls – this allows organizations to see who their privileged administrators are and what are they doing
  • Gives organizations more insight into how administrative accounts are used in the environment

Using PAM as your central tool to manage privileged access here are 10 steps to help you manage Windows privileged access effectively.

Tip #1: Make a List of All Privileged Accounts

To make sure you have accountability for all your privileged accounts you should inventory them by accurately listing all accounts. A PAM solution can help with this as many have an auto-discovery feature. This technique will allow you to monitor who is responsible for a particular account and prevent unauthorized access.

Tip #2: Don’t Share Passwords for Shared Accounts

Ensure that shared-account passwords are accessible only to account owners. To avoid revealing shared-account passwords, you should consider implementing single sign-on (SSO) authentication.

Tip #3: Use as Few Privileged Accounts as Possible

To reduce risks of data thefts, you should minimize the number of accounts with privileged access or even eliminate all accounts with permanent and full privileges if possible.

Tip #4: Minimize the Number of Rights for Each Privileged Account

To better protect your data from disclosure and ensure the proper superuser privilege management, you should set minimum rights needed for specific users so as they could perform their obligations.

Tip #5: Manage Passwords Properly

To reduce the risks of compromising privileged accounts, you should manage passwords wisely. They should be complex, unique, regularly changed, and never shared.

Tip #6: Separate Privileges for Specific Tasks

You should separate privileges necessary to accomplish specific tasks among various administrators.

Tip #7: Practice Privilege Elevation Instead of Assigning Superuser Privileges

Instead of granting administrators with full access, use privileged elevation to allow them to perform corresponding actions when needed.

Tip #8: Use One-Time Passwords

The advantage of a one-time password (OTP) over a static one is that the password cannot be reused. Thus, an attacker who intercepts data from a successful authentication session can’t use the copied password to get access to the protected information system.

Tip #9: Use Two-Factor Authentication

The double-layered protection will ensure secure authentication and make it more difficult for third parties to intercept your data.

Tip #10: Record Privileged User Sessions

To detect suspicious activities and efficiently investigate malicious operations in a timely manner, you should record privileged user sessions.

Using a PAM solution and following these 10 tips will go a long way in securing your privileged accounts. To learn more about what you can to do protect your organization, check out my on-demand webinar, “10 Steps to Better Windows Privileged Access Management”.

Derek A. Smith, Founder, National Cybersecurity Education Center

Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently the Director of Cybersecurity Initiatives for the National Cybersecurity Institute at Excelsior College, responsible to perform complex duties relating to the development and coordination of cyber initiatives at NCI. Formerly, he has worked for a number of IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He has also taught business and IT courses at several universities for over 20 years. Derek has served in the US Navy, Air Force and Army for a total of 24 years. He completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education.