NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Password & Session Checkout Duration – 4 Steps to Achieving Best Practices

May 21, 2020

  • Blog
  • Archive

How long should privileged password and privileged session checkout durations last? This is a common question that consistently arises when I speak with security professionals, most recently when I participated in an executive forum and roundtable. As every security professional can imagine, there are several approaches and considerations to evaluate when trying to determine what is the “Best Practice” for password and session checkout duration. Obviously, you need to assess the security risks involved with making that decision for the checkout duration, as well as what risks you’re mitigating, or even introducing, based on your decision.

To make the best decision, IT and security teams need to evaluate, categorize, and then prioritize the types of privileged accounts and their usage.

1. Evaluating Accounts

When it comes to account evaluation, you should consider the types of accounts and their access rights. These accounts could be Domain Controller admin accounts, Application Server Accounts, Database Accounts, Line of Business Servers, Network Devices, etc. These accounts can also have multiple access rights, meaning they can be used to log onto multiple servers or assets, applications, databases, and network devices. Understanding the account access rights will help guide the evaluation process.

2. Privileged Account Categorization

There are several ways you can categorize accounts—the important thing to remember is you are trying to categorize “sets” of privileged account access so you can then prioritize them in the next step. When it comes to categorization, you should consider the following:

  • Are the privileged accounts in a production domain or a development domain?
  • Do the accounts have access to the crown jewels of your production environment, such as domain controllers?
  • Do the accounts have access to critical cloud environments?
  • What about high-risk financial application(s) or critical database(s)?

There are several ways you can categorize, but the goal here is consistency. The framework for privileged account categorization will vary from organization to organization, depending on such factors as size, amount of accounts, access, etc.

3. Prioritizing the Categories

Once you have successfully categorized the accounts in a format that makes sense to your organization, the next step is prioritizing each of these categories. The priority should align with highest risk to lowest risk. This means that if your domain controller admins are the most important accounts, or pose the biggest risk to the organization, they should be made a high priority. At the opposite side of the spectrum would be development sandbox accounts used for testing, which would be considered much lower priority.

In some cases, organizations have not separated privileged access or access rights to dedicated accounts. Instead, users leverage their “Namesake” account for all access, email, applications, etc. This should be considered “Bad Practice!” If you are using or leveraging this access model, you should seriously reconsider separating the privileged access to a dedicated administrative account to reduce your risk exposure.

Once you have completed the prioritization across each category, you can then start to develop your baseline for password and session checkout duration.

4. Considerations for Developing Password/Session Checkout Durations

The hardest part is done, now comes the easy part. The best way I’ve found to approach this is by starting with a baseline for your low-priority accounts. The baseline should be the minimum amount of control over the duration an organization is willing to accept. In some cases, organization might choose to align these with security controls, standards, or policies. More often than not, the controls, standards, or polices haven’t been written, which is why this question about checkout duration always seems to arise.

When considering a baseline, remember, its easiest to start with the low-priority accounts for the most relaxed checkout duration. Typically, these types of checkout durations will range be 48 hours to 7 days. Remember, these are low-priority accounts with minimal risk. The beauty of creating this baseline is that now you have a starting point. You can optimize checkout duration timelines across each category and priority.

When you consider the highest priority accounts that pose the biggest risk to an organization, you may want to consider checkout durations be as restrictive as 1 hour. This means that, if a user needs to check out this type of account, they will only be able to check it out for 1 hour before it expires, and they have to re-request the privileged password at the end of the hour if they need to continue using it. In some cases, organizations have chosen to add an additional layer—requiring approval prior to releasing a password.

Achieving Best Practices for Password/Session Durations

While there are several options and exceptions to consider, you should keep in mind that for any type of production access that leverages a PAM password safe where privileged credentials are controlled, managed, and released to users, checkout durations should never last longer than the particular user’s typical work day. Some exceptions might be Backup Engineers, Critical Engineering Operations, or Debugging Engineers who might need to perform tasks that extend beyond a typical 8-12 hour workday. These types of users should be evaluated, categorized, and prioritized based on this type of use case.

At the end of the day you are ultimately trying to mitigate risks associated with privileged access. Some types of privileged access might not carry as much risk as others, but having a solid framework and baseline provides a standardized approach for organizations to use when trying to answer the question of “How long should we let users check out passwords and sessions.”


Whitepapers

Privileged Password Management Explained

Infographics

8 Best Practices for Privileged Password Management

Photograph of Christopher Hills

Christopher Hills, Deputy Chief Technology Officer, BeyondTrust

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.