Privileged accounts are user accounts with extended permissions to access systems and data, such as the root account in Unix and Administrator accounts in Windows. Sometimes they are called “the keys to the kingdom” because a privileged account enables you do things ordinary users can’t, such as change a system’s configuration or view and delete sensitive data.
With such access at their fingertips, users can do either good or bad. It depends on who does what and why.
Do you have to worry about following best practices for managing privileged accounts?
If you have only five PCs, one router and a sysadmin with a lot of free time, you might not need to have rigorous privileged accounts management practices — but you are putting a lot of trust in that person. If you have a larger environment, you need to carefully follow best practices, both to ensure security and to meet compliance standards for maintaining a safe network.
To be able to hold privileged users accountable for their actions, it’s essential to be able to answer the following questions:
- Who had access to a given system at a certain time?
- Who actually accessed the system and what specific actions were taken?
For example, suppose client information from your database is leaked to DarkNet. In the logs, you see that the Administrator account logged into SQL and copied the database — but because 10 individuals have the password for that account, there’s no way to find exactly who did it. Moreover, without privileged user activity monitoring you can’t be sure that it was even one of those 10 people, because any account could be compromised by a malicious insider or an external attacker.
How can you ensure privileged account security in AD?
- Control access to resources — Using Microsoft Active Directory groups is the best way to control access to resources and enforce a least-privilege model. It also enables you to easily enumerate permissions to any resource, whether it’s a Windows file server or a SQL database.
- Delegate control — Delegation enables you to grant users or groups the permissions they need without adding them to privileged groups like Domain Admins and Account Operators. The simplest way to accomplish delegation is to use the Delegation of Control Wizard in the Microsoft Management Console (MMC) Active Directory Users and Computers (ADUC) snap-in.
- Use strong passwords — The Microsoft Active Directory Password Policy feature enables organizations to enforce the use of strong passwords through appropriate password and account lockout policies. You can even define different policies for different sets of users in a domain. You can enforce the use of strong passwords through an appropriate password policy GPO on your Windows Server; various settings enable you to control password complexity, lifetime and other requirements. For example, you can require admins to change their passwords regularly; ideally, the password should be changed automatically every time the account is used. (Read more about password policy best practices here.)
- Implement an account lockout policy — An account lockout policy disables a user account if an incorrect password is entered a specified number of times during a specified period of time. This policy helps you prevent attackers from guessing users’ passwords, thereby reducing the chance of successful attacks on your network. (Learn more about account lockout best practices here.)
- Enable auditing — Windows audit policy defines what types of events are written in the Security logs of your Windows servers. Monitoring the creation and modification of objects helps you spot potential security problems, ensure user accountability, and provide evidence in the event of a security breach.
- Configure NTFS permissions — The main advantages of NTFS permissions are that they are based on the permissions granted to each individual user at the Windows logon, regardless of where the user is connecting from. (Find out more about NTFS permissions best practices here.)
- Use user behavior analysis (UBA) — Legacy defense strategies are typically focused on the perimeter, so they cannot identify insider threats or attacks in progress within the network. UBA delivers visibility into user activity across critical IT systems so you can spot these security issues. (See how Behavior Anomaly Discovery offered by Netwrix Auditor can help you improve detection of malicious insiders and compromised accounts.)
What else you can do?
Third-party solutions can help you implement the controls and policies you need to improve security for privileged accounts. In particular, account management security solutions can help you accurately provision and de-provision privileged accounts, and password vaults can store privileged credentials securely. Are you ready to take a step further? Here are efficient best practices you can follow to take control over privilege users across your IT environment.
Learn more about how privileged accounts can turn into a threat in Privilege Abuse: Threat Alert