Privileged accounts exist in many forms across an enterprise environment, and they pose significant security risks if not protected, managed and monitored. The types of privileged accounts typically found across an enterprise environment include:
- Local Administrative Accounts are non-personal accounts which provide administrative access to the local host or instance only. Local admin accounts are routinely used by the IT staff to perform maintenance on workstations, servers, network devices, databases, mainframes etc. Often, they have the same password across an entire platform or organization for ease of use. This shared password across thousands of hosts makes for a soft target that advanced threats routinely exploit.
- Privileged User Accounts are named credentials which have been granted administrative privileges on one or more systems. This is typically one of the most common forms of privileged account access granted on an enterprise network, allowing users to have administrative rights on, for example, their local desktops or across the systems they manage. Often these accounts have unique and complex passwords, and the power they wield across managed systems makes it necessary to continuously monitor their use.
- Domain Administrative Accounts have privileged administrative access across all workstations and servers within the domain. While these accounts are few in number, they provide the most extensive and robust access across the network. With complete control over all domain controllers and the ability to modify the membership of every administrative account within the domain, a compromise of these credentials is often a worst case scenario for any organization.
- Emergency Accounts provide unprivileged users with administrative access to secure systems in the case of an emergency and are sometimes referred to as ‘firecall’ or ‘breakglass’ accounts. While access to these accounts typically requires managerial approval for security reasons, it is usually a manual process that is inefficient and lacks any auditability.
- Service Accounts can be privileged local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have domain administrative privileges depending on the requirements of the application they are being used for. Local service accounts can interact with a variety of Windows components which makes coordinating password changes difficult.
- Active Directory or domain service account password changes can be even more challenging as they require coordination across multiple systems. This challenge often leads to a common practice of rarely changing service account passwords which represents a significant risk across an enterprise.
- Application Accounts are accounts used by applications to access databases, run batch jobs or scripts, or provide access to other applications. These privileged accounts usually have broad access to underlying company information that resides in applications and databases. Passwords for these accounts are often embedded and stored in unencrypted text files, a vulnerability that is replicated across multiple servers to provide greater fault tolerance for applications. This vulnerability represents a significant risk to an organization because the applications often host the exact data that APTs are targeting.
At the Institute of Forensics and ICT Security, we offer privileged access assessments and advise on how to manage IAM (identity and access management) within enterprises. We know that poorly managed access and invisibility into identities in networks is a bigger security problem in most corporations.