If privileged accounts are ostensibly the most protected, why do they constantly feature in exploit-after-exploit, year-after-year – even up to the present with recent Snowflake/Ticketmaster, et al incident?
The answer is 2-fold:
- Privileged accounts are heavily targeted by attackers for obvious reasons
- Many organizations lack the determination required for following best practice
When you treat privileged accounts like normal accounts you can expect bad results. Case in point, the privileged Snowflake accounts reportedly used by a third party contractor were simply protected by single-factor passwords. And apparently, not at all surprising from what we know of human behavior, those passwords were stored in places like Jira and re-used by the same person on unrelated accounts.
So, in this next installment of “Assessing the Security of Your Active Directory”, I’ll be focusing on privileged accounts. As always, my goal is not to just help you come out looking good on your next audit (which is undeniably important ;-) but to help you really improve your controls over privileged accounts and truly reduce risk.
In this session, I will focus on human privileged accounts; we’ll devote a different time to service, application and other non-human privileged accounts. Human / non-human accounts really do need to be treated differently because dynamics are correspondingly dissimilar with different risks and controls needed.
First, I’ll look at how to identify privileged accounts, which as you’ll see requires more than simply enumerating the Administrators group. We will look at the other, more indirect, vectors that result in privileged authority such as AD object permissions and Windows system rights.
Next, we’ll explore how to use the Windows Security Log to identify the client systems where privileged account logons are originating. Limiting privileged account use to endpoints of same security tier is so important – there just are not effective compensating controls. An admin account is only as safe as the endpoint where the human user is present. Returning to the Snowflake incident again, it seems some of the contractor’s employees were working from their personal computers where infostealer malware was, unsurprisingly, present.
Then, I’ll show you how to implement security tiers for accounts, servers and endpoints so that you can detect or enforce that privileged accounts are not exposed to improper risk of less secure tiers.
Finally, we’ll finish up by considering other important risks and controls specific to privileged accounts in Active Directory.
This session’s sponsor, Netwrix, is perfect for this topic because Netwrix Auditor has powerful capabilities for finding the information we require for this project, implementing the detective controls we discuss and providing the assurance needed in order to demonstrate compliance. Jennifer Taufan, Solutions Engineer at Netwrix, will show you how to use Netwrix Auditor to:
- Report on privileged accounts in Active Directory, including object permissions
- Monitor logons of your users and alert you to suspicious activity
- Generate audit trails and reports for privileged activities
- Prepare for audits and prove compliance
Please join us for this real training for free session.