What are privileged accounts?
Privileged accounts and privileged access are at the heart of every business today. They ensure that the IT team can administer and manage the organization’s systems, infrastructure, and software, and they enable employees to access the data that enables them to make critical business decisions.
Not only are most businesses dependent on privileged accounts, but they are also the accounts most likely to be targeted by cybercriminals. This is because they allow attackers to easily move around the network, accessing critical systems and sensitive data while remaining undetected and cleverly hiding their tracks.
Privileged accounts provide the ability to make system and software configuration changes, perform administrative tasks, create and modify user accounts, install software, backup data, update security and patches, enable interactive logins, and of course, access privileged data. All these activities are crucial to ensure the business can function, keeping systems and software running.
Don’t assume that privileged accounts are directly aligned to employees’ jobs
Privileged accounts are typically limited to employee roles within the business, but can sometimes be mapped to users’ accounts independent of their role. This can be a big mistake—don’t assume that privileged accounts are directly aligned to employees’ jobs. Privileged accounts can be used by many different entities. For example; IT administrators, security teams, help desk workers, 3rd party contractors, application owners, database administrators, operating systems, and services accounts, to name a few.
Privileged accounts can also be found all over the organization’s infrastructure regardless of physical location, including on-premise, in the cloud, and for accessing SaaS applications. Common locations for privileged accounts are default credentials in servers, endpoints, and operating systems. They can also be found in virtual environments, software, cloud environments, databases, service accounts, and most applications. These are just a few examples. However, this demonstrates that privileged accounts can be found practically everywhere within an organization, and often an organization will find they will have up to five times the number of privileged accounts than they have systems.
Chances are you have privileged accounts you’re not aware of. A quick scan of your environment with our Privileged Account Discovery Tool will pinpoint your vulnerabilities:
Many organizations are struggling with cyber fatigue—a state of being overwhelmed by cybersecurity responsibilities—as a result of the sheer volume of passwords and credentials that employees need to maintain and remember. This is a serious issue across the business and impacts not just the IT team but the security team and all employees who need to access multiple systems and applications. One thing that is clear is that humans are not great at choosing strong passwords. We must move passwords into the background by leveraging solutions such as password managers or Privileged Access Management (PAM)software. This helps automate many of the security controls for protecting privileges such as passwords.
Failure to keep privileged access security up to date has resulted in financial loss for many organizations
In addition to cyber fatigue, businesses face the challenge of keeping privileged access up to date, especially when employees’ roles change or when they leave the organization. Failure to do so has resulted in financial loss for multiple organizations when privileged accounts have subsequently been compromised and abused. Service accounts also present a challenge as they historically get configured with a static password that doesn’t expire and never gets changed.
As it’s imperative that all types of privileged accounts are managed, protected, and secured. So, which accounts are considered privileged accounts? I have listed ‘7 Deadly Privileged Accounts’ that all organizations must discover, manage and secure in order to reduce their business security risk.
I think of this type of privileged account as the “god” account—the account that can do almost everything. Yes, the Domain Admin account has FULL access and control of the AD Domain. This group is, by default, a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, always add users with extreme caution, full audit, and approval. [1]
These accounts should be restricted as much as possible; access and usage of these accounts must be granted strictly on an “on-demand” basis, with additional security controls in place to prevent unauthorized use. All activities should be fully audited and monitored.
These accounts bring multiple systems and applications together so they can communicate and gain access to needed resources, usually to run reports, access databases, or call APIs. These accounts tend to be problematic, especially when changing the password, which in almost all situations breaks the application(s) until the account is synced across the environment. These challenging and scary moments mean most organizations have a “do not touch that password” policy on these accounts or have detailed processes on how to handle them. These accounts are typically used for backup solutions, analytical solutions, software deployment, and updating security patches.
Sometimes called the forgotten privileged account—the one that many organizations simply give to all employees, and the one that all cybercriminals target to get one foot in the door allowing them to discover and size up an organization’s security and defenses. This is the main culprit for employees being over-privileged.
The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems.
For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users and assign user rights and access control permissions. The Administrator account can also be used to take control of local resources at any time simply by changing the user rights and permissions.
The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.”[2]
These accounts are typically disabled by default until a critical incident occurs, then certain users need to have privileged access to restore systems, services, or even respond to cyber incidents. These are only used in emergency scenarios—usually known as “break the glass”—when normal services are not available. For example, during a cyber incident, these emergency accounts are used to access systems in order to conduct digital forensics and reduce contaminating log evidence. They can also be used to restrict compromised accounts from being continuously abused.
Service accounts are typically used in operating systems to execute applications or run programs, either in the context of system accounts (high privileged accounts without any password) or a specific user account, usually created manually or during software installation. On Unix and Linux they are often known as init or inetd, and can also launch programs. Service accounts usually are not permitted to log on to systems, however, they tend to have passwords that never change, nor do these accounts expire. The accounts are commonly abused by cyber-criminals who find ways to break them so they can run their own binaries at elevated privileges, allowing remote access for the attacker.
Application accounts are routinely used to ensure an application has access to the resources it needs to function, such as databases, networking, automated tasks (like deploying software), automated updates, and the ability to make configuration changes. These accounts typically keep passwords in configuration files or sometimes use local or service accounts to gain necessary access. Application accounts are also a target for cybercriminals as they can be easily abused using known vulnerabilities that allow the attackers to gain remote access, modify system binaries, or elevate standard accounts to privileged so they can move around the network. Most organizations fail to properly patch applications, so attackers can abuse these vulnerabilities all too often.
This is probably the most dangerous privileged access of all. Yes, this account is a standard user account but has ACCESS to SENSITIVE PRIVILEGED DATA. Think about the doctor who has access to patient data or the accountant who has access to the financial statements. While these accounts are just regular accounts, it’s all about what they have access to. Privileged Data User accounts are sometimes not monitored or secured like privileged accounts, and the security is focused on the application where the data is stored, but not always. Organizations must perform a Data Risk Assessment to detect privileged data and secure ALL standard accounts that have access to sensitive data.
These are just a few of the privileged accounts that organizations should prioritize and secure to reduce the risks of them being compromised and abused.
Other types of privileged accounts are:
Learn how you can protect your privileged accounts: Download Delinea’s Privileged Access Management for Dummies.