In this paper, I will talk about the goals and challenges of creating a privileged access management program for your Windows desktops and servers. Privileged access is a key issue these days, especially on desktops, for which an overprivileged user can be a weapon of destruction on your internal network if they inadvertently download and install malware.

But privileged access management can be equally critical on Windows servers to ensure that the right users have the right access to your production systems. In this paper, I’ll lay out the issues and challenges around managing privileged access using the native Windows security model, especially across many desktops and servers. Then I’ll talk about some different approaches that might help you in your efforts to manage access in your Windows environment.

What is Privileged Access Management?

It’s important to define terms when it comes to privileged access management. Privileged access, as the name implies, is access to a system (desktop or server) that is above and beyond that which a “normal” user has access to. This definition, of course, is sufficiently vague that it requires additional context. Every organization may have a different definition of what is privileged, based on their business and security requirements.

But we can probably all agree that certain types of access (e.g. the ability to install software, create users or change system configuration) universally constitute privileged access. And the principles of Privileged Access Management are generally the same. Namely, you want to:

  • Ensure that only those users who absolutely need access to a given set of privileges on desktops and servers have those privileges, and only for those systems for which they have a need.
  • Ensure that privileged access is only used when it’s needed (i.e. when the privileged operation needs to occur) and ideally, is only granted when it’s needed and “un-granted” when it’s no longer required.
  • Centrally manage privileged access such that access can be granted and revoked quickly. This doesn’t necessarily mean a single group managing access, but rather a single point of control or system for determining access, rather than many disparate systems depending upon the resource under management.
  • Ensure that there is an audit trail for any privileged operation.

Of course, there will be differences between the types of privileged operations that are performed on Windows desktops vs. Windows servers. Desktop privileged access might include the ability to logon at the console (interactively) or the ability to install printers or install software. Server privileged access, on the other hand, might include the ability to shut down the server, change its network or disk configuration and stop and start key services.

Each of these different privilege sets may have different usage patterns as well. A desktop user probably needs to log onto their system interactively every day, and they may need to install software frequently as well. However, a server administrator may only need to log onto the server’s console or restart its services on an infrequent basis. Therefore, the strategy you take when addressing privileged access management on each platform type may be different. We’ll talk more about these differences later in the paper.

Privileged Access in Windows

The Windows platform provides some unique capabilities that also make it a challenge in the area of privileged access management. Ironically, one of Windows’ biggest strengths over other platforms like Linux or UNIX is the granularity of control you get in the OS’ security model. Indeed security is built into Windows as the deepest levels, and practically every resource and object in the OS is protected by some sort of access control list (ACL).