When it comes to privileged account credentials, what you don’t know can certainly hurt you. How is this possible when it comes to IT? Well, it’s because your privileged account passwords are a favorite target of hackers. Once attackers get their hands on these privileged accounts, they have, as the cliché goes, the keys to your kingdom. Unfortunately, it may take you from weeks to months to discover the culprits are even in your network.
Before I begin this discussion on Windows privileged account management let me level set by defining what “privileged” means in the context of this blog post. Privileged accounts are the most powerful users in any organization. These accounts include shared accounts and superuser accounts.
When dealing with privileged accounts, we, as security professionals, focus on a concept called least privilege. We focus here because mismanaged privileges pose devastating risks to organizations, including financial losses, reputational damage, regulatory penalties and customer loss. To reduce the risk around shared and privileged accounts, first and foremost there’s a need for accountability. Restricting access to mission-critical servers does not mean that system administrators will not be able to perform their responsibilities it just means that they will be given the least amount of access needed to do their job.
Why Privileged Accounts Need Security in the First Place
Let’s focus for a moment on why you need to protect your privileged accounts from these bad actors in the first place. Managing your privileged accounts is an important factor for ensuring the security of your data. If they fall into the wrong hands, these accounts become the biggest threat to your enterprises because they can be used by the bad guys to breach your company’s personal data, complete unauthorized transactions on your network, or cause a denial-of-service to your network. They also allow the hacker to hide their activity by deleting audit data, so you never even know they were ever there.
Your privileged accounts, such as your Windows Administrator accounts, are required for your platforms to function properly. Therefore, gaining control of these accounts is at the top of the hackers list, and equally important, the top of your auditor's findings list, and is an essential component of compliance mandates associated with Sarbanes-Oxley, the Payment Card Industry Data Security Standard (PCI DSS), NERC, and HIPAA. In addition, many of your business partners are likely to ask for a review of controls associated with your privileged accounts as part of their Statement on Auditing Standards (SAS) 70 reviews.
Access to most of these accounts gives the administrator what I refer to as “Super User” status. For Windows, the Super Administrator account is different from your current Administrator account, as it gives your administrator much more power to change things in the Operating system. Windows doesn’t call this a special account, but it sure gives you some extra privileges over the normal administrator account. Some of the privileges include but aren’t limited to full administrator rights and override UAC (User Access Control), to do some over-the-top troubleshooting.
What's the Problem with Windows Accounts?
A privileged account is how administrators log in to servers, switches, firewalls, routers, database servers, and the many applications they must manage. Many of these systems are not within a Window domain and by default allow simple username/password pairs to log in. In the worst-case, default passwords are never revoked. The password is often the username “admin” or maybe even a blank password. Often the default is replaced with a single login that is shared by anyone who needs to get on a machine. Some organization actually use separate credentials for each administrator but then fail to manage these passwords. them.
How PAM Security Tactics and Solutions Address the Risks of Privileged Accounts
Adding a privileged account management (PAM) system can help to secure your Windows privileged accounts better. For many Windows accounts, there are two ways to manage them:
- Manual protection - While ultimately it is better than doing nothing, manually protecting, managing, and monitoring privileged accounts can be a tedious, time consuming, and resource-draining
- Security solutions for privileged accounts - Enterprise solutions that protect, manage, and monitor privileged users, sessions, and applications while integrating with existing security investments such as Security Information and Event Management (SIEM) solutions provide the best value for large organizations.
When it comes down to it, PAM solutions end up being the best option for protecting your organization. Privileged account management platforms can help you mitigate the risks associated with elevated access. These products can help close out audit findings, assist in meeting compliance mandates, and increasingly enable an organization to pass its SAS 70 reviews.
Privileged Access Management Concepts
PAM mainly functions with three concepts in mind:
1. Who can get to a server
2. How they can get to a server and
3. What they can do when they get there
PAM products control access to accounts via two mechanisms. The first mechanism forces the administrator or program to check out the account password, and the second mechanism changes the account's password frequently on the target platform. These products also provide some workflow capabilities for approval and follow-up after giving emergency access to a privileged account. These workflow methods include:
- Check out methods
- Password change frequency
- Privileged single sign-on (SSO)
- Programmatic password caching
What Goes into PAM?
There are several common ways of managing privileged accounts:
- Credential vault or safe – Eliminates the sharing of privileged passwords by storing them in a virtual vault, complete with workflows and automation, to control their issuance, return and modification.
- Windows delegation – Temporarily elevates a regular user’s permissions to those of a Windows administrator on their workstation. While technically a PAM issue, the risk of regular users exploiting the temporarily elevated status to cause a breach is low compared to that of granting them widespread network and system access.
- Active Directory administrator delegation – This approach delegates the AD Administrator account on Windows Server.
- Session monitoring – This approach allows the business to monitor activities performed by users while they have elevated access.
The 10 Best Practices for Managing Windows Privileged Accounts in 2018
Below are ten best practices for monitoring your Windows privileged accounts.
1. Use automated tools to disable inactive privileged accounts
2. Use multifactor authentication for all administrative access, including domain administrative access
3. Implement automated password verification and reconciliation to ensure that the passwords of record are current on all systems
4. Regularly change and verify hardcoded passwords embedded in applications
5. Deploy a solution that provides the ability to directly connect to a target system without displaying the password to the user
6. Implement a gateway to eliminate privileged users directly accessing sensitive assets in the IT infrastructure
7. Implement a request workflow for credential access approval including dual-controls and integration with helpdesk ticketing systems
8. Implement session recording for all privileged access
9. Proactively detect malicious behavior
10. Implement focused auditing on the use of privileged administrative functions and monitor for anomalous behavior
By implementing these recommended solutions and combining them with an excellent PAM solution, you will go a long way in ensuring the security of your privileged Windows accounts. To learn more about how to protect and manage your Windows privileged accounts, check out an on-demand recording of my recent webinar, ‘Top Ten Best Practices for Managing Windows Privileged Accounts in 2018.’
Stay Up To Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.