In the world of access management, privileged accounts are the treasure chest that holds the keys to the most sensitive, most restricted areas of an organization’s environment. Although organizations work hard to implement the appropriate security measures, malicious actors are constantly rooting through user accounts and credentials seeking to obtain the golden ticket that will grant them unauthorized access to sensitive data.
Organizations know that they need to protect these privileged accounts and their access. However, in complex environments, they often struggle to identify these accounts which ultimately impacts their ability to secure them properly. Even more challenging, organizations need to provide the most precise level of access for these accounts. Privileged accounts may have nearly unfettered access, but the access should remain within a certain boundary to mitigate risks.
Privilege accounts with excess permissions pose unique risks. These accounts need to have more access than the standard account to be effective, but they still need limitations to reduce the impact if attackers compromise them.
6 Problems with Privileged Accounts That Have Excess Permissions
The first step to improving security at the identity perimeter is to know what accounts more access may have than they technically need.
Domain Admin with Local Access Everywhere
To complete routine administrative tasks, domain admins typically have and need full control across systems, including file servers, user machines, and backups, which expands the organization’s attack surface. If compromised, attackers gain total control over the environment, enabling privilege escalation, persistence, and lateral movement.
Problematically, this access is legitimate so distinguishing between necessary and excessive use without deep privilege auditing is challenging.
Service Accounts Running with Domain Admin Rights
Out of convenience, service accounts that run background tasks or scheduled jobs sometimes have Domain Admin rights. Since these accounts often have static passwords that rarely change, compromised credentials can provide attackers with full domain control.
Problematically, tracking their true access requires understanding and documenting their job functions and how they interact with systems.
Backup Operator Account That Can Also Modify System Files
Backup operators help organizations restore files, including system executables. However, since they have the ability to modify or overwrite these files, they can effectively bypass access controls. Attackers compromise these accounts to plant malicious code, escalate privileges, or steal sensitive information.
Problematically, organizations often ignore these accounts in access reviews because the backups are seen as a passive, protective function.
Helpdesk Account with Full Local Admin Rights
Organizations grant helpdesk staff local administrative privileges across all endpoints to make troubleshooting easier, but they rarely reset these passwords. Attackers can use a compromised helpdesk account to install malware or extract credentials from a device’s memory.
Problematically, organizations struggle to detect these as over-permissioned because they are spread across many machines and appear harmless when viewed on a per-user basis.
Executive or VIP User with Admin Access
While executives often want full access if they need it, they rarely use it. Since auditing senior leadership is awkward, organizations may not limit access, creating a high-value target for attackers.
Problematically, this creates blind spots in privilege review.
Developer Accounts with Production Admin Rights
Developers often have admin rights in live production environments so they can quickly deploy code or fix issues. While this streamlines workflows, it increases the chance of accidental or malicious changes since it bypasses separation of duties and change control processes.
Problematically, developers are legitimate users making unauthorized changes difficult to track which are compounded by overlapping user roles between development and product environments.
Best Practices for Managing Privileged Access
Protecting these privileged accounts and mitigating the risks they post is a complex and daunting challenge. By following these best practices, organizations can improve security and reduce risks.
Discover All Privileged Accounts
Organizations can’t protect what they don’t know they have. While privileged accounts pose a challenge, organizations need to ensure that they inventory all accounts accurately so they can highlight the most privileged ones to pinpoint risk.
Map Relationships
After identifying these accounts, organizations need to understand the relationships between identities and the systems they access. By mapping these relationships, organizations can identify clear access paths and gain visibility into who can access what resource.
Classify Accounts
Classifying accounts by type enables organizations to define controls. This visibility into risk enables organizations to generate reports and prioritize actions to remediate potential violations and security issues.
Assign Owners
Every account should have a human owner to ensure appropriate management, including someone responsible for service accounts. By assigning and confirming ownership, organizations can reduce the time that security personnel spend looking for the person who can approve changes.
Automate Remediation
With the background work completed, organizations can implement workflows and leverage automation for flexible, scalable processes. These workflows streamline tasks to reduce manual processes and staff involvement, freeing people up to focus on strategic activities.
Continuous Monitoring
To identify and mitigate new security risks, organizations should continuously monitor the flow of new privileged accounts. Additionally, they should track the remediation progress of their existing control violations.
The Most Important Security Treasure Hunt
Discovering privileged accounts is like going on a treasure hunt, one that can define an organization’s security posture. Following the trail of log clues can help security teams discover these accounts, but mapping their relationships to services and resources often requires additional help.
With visibility into who has access to what resources, organizations can begin to establish accountability, enabling remediation efforts and reducing risk. By replacing manual processes with automation, they can more efficiently and effectively remove high-risk access before it leads to a data breach.
About the Author:
Rita Gurevich is the CEO and founder of SPHERE, a leading identity hygiene company redefining how organizations identify and remediate critical identity-related issues. Rita began her career at Lehman Brothers where she oversaw the distribution of technology assets after the organization’s bankruptcy in 2008. From this experience, Rita observed firsthand the challenges surrounding maintaining strong inventories, the implications of mismanaged access and quickly realized the need for swift and agile solutions to find and fix these types of problems.
