+1-202-802-9399 (US)

Thycotic’s Cyber Security Publication

The 7 Deadly Privileged Accounts You MUST Discover, Manage and Secure

Written by Joseph Carson

March 26th, 2019

Privileged accounts and privileged access are at the heart of every business today. They ensure that the IT team can administer and manage the organization’s systems, infrastructure, and software, and they enable employees to access the data that enables them to make critical business decisions.

Not only are most businesses dependent on privileged accounts, but they are also the accounts most likely to be targeted by hackers and cyber criminals. This is because they allow the attackers to easily move around the network, accessing critical systems and sensitive data while remaining undetected and cleverly hiding their tracks.

Privileged accounts provide the ability to make system and software configuration changes, perform administrative tasks, create and modify user accounts, install software, backup data, update security and patches, enable interactive logins and of course, access privileged data.  All these activities are crucial to ensure the business can function, keeping systems and software running.

Don’t assume that privileged accounts are directly aligned to employees’ jobs

Privileged accounts are typically limited to employee roles within the business, but can sometimes be mapped to users’ accounts independent of their role. This can be a big mistake—don’t assume that privileged accounts are directly aligned to employees’ jobs.  Privileged accounts can be used by many different entities. For example; IT administrators, security teams, helpdesk workers, 3rd party contractors, application owners, database administrators, operating systems and services accounts, to name a few.

Privileged accounts can also be found all over the organization’s infrastructure regardless of physical location, including on premise, in the cloud and for accessing SaaS Applications.  Common locations for privileged accounts are default credentials in servers, endpoints, and operating systems.  They can also be found in virtual environments, software, cloud environments, databases, service accounts and within most applications.  These are just a few examples. However, this demonstrates that privileged accounts can be found practically everywhere within an organization, and often an organization will find they will have up to five times the number of privileged accounts than they have systems.

Many organizations are struggling with cyber fatigue—a state of being overwhelmed by cyber security responsibilities—as a result of the sheer volume of passwords and credentials that employees need to maintain and remember.  This is a serious issue across the business and impacts not just the IT team but the security team and all employees who need to access multiple systems and applications.

Failure to keep privileged access up to date has resulted in financial loss for many organizations

In addition to cyber fatigue, businesses face the challenge of keeping privileged access up to date, especially when employees’ roles change or when they leave the organization. Failure to do so has resulted in financial loss for multiple organizations when privileged accounts have subsequently been compromised and abused.  Service accounts also present a challenge as they historically get configured with a static password that doesn’t expire and never gets changed.

As it’s imperative that your privileged accounts are managed, protected and secured, I have listed the ‘7 Deadly Privileged Accounts’ that all organizations must discover, manage and secure in order to reduce their business security risk.

  1. The King of Accounts “Domain Admin Accounts”

The “god” account—the account that can do almost everything.  Yes, the Domain Admin account has FULL access and control of the AD Domain.  This group is, by default,  a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, always add users with extreme caution, full audit, and approval. [1]

These accounts should be restricted as much as possible; access and usage of these accounts must be granted strictly on an “on-demand” basis, with additional security controls in place to prevent unauthorized use.  All activity should be fully audited and monitored.

  1. The challenging and scary “Domain Service Accounts”

These accounts bring multiple systems and applications together so they can communicate and gain access to needed resources, usually to run reports, access databases or call API’s.  These accounts tend to be problematic, especially when changing the password, which in almost all situations breaks the application(s) until the account is synced across the environment.  These challenging and scary moments mean most organizations have a “do not touch that password” policy on these accounts or have detailed processes on how to handle them.  These accounts are typically used for backup solutions, analytical solutions, software deployment and updating security patches.

  1. The forgotten “Local Administrator Accounts”

Sometimes called the forgotten privileged account—the one that many organizations simply give to all employees, and the one that all cyber criminals target to get one foot in the door allowing them to discover and size up an organization’s security and defenses.  This is the main culprit for employees being over-privileged.

The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems.

For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users and assign user rights and access control permissions. The Administrator account can also be used to take control of local resources at any time simply by changing the user rights and permissions.

The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.”[2]

  1. The help me “Emergency Accounts”

These accounts are typically disabled by default until a critical incident occurs, then certain users need to have privileged access to restore systems, services, or even respond to cyber incidents.  These are only used in emergency scenarios—usually known as “break the glass”—when normal services are not available.  For example, during a cyber incident, these emergency accounts are used to access systems in order to conduct digital forensics and reduce contaminating log evidence. They can also be used to restrict compromised accounts from being continuously abused.

  1. The hidden and forever “Service Accounts”

Service accounts are typically used in operating systems to execute applications or run programs, either in the context of system accounts (high privileged accounts without any password) or a specific user account, usually created manually or during software installation.  On Unix and Linux they are often known as init or inetd, and can also launch programs.  Service accounts usually are not permitted to log on to systems, however, they tend to have passwords that never change, nor do these accounts expire.  The accounts are commonly abused by cyber-criminals who find ways to break them so they can run their own binaries at elevated privileges, allowing remote access for the attacker.

  1. The elevated “Application Accounts”

Application accounts are routinely used to ensure an application has access to the resources it needs to function, such as databases, networking, automated tasks (like deploying software), automated updates, and the ability to make configuration changes.  These accounts typically keep passwords in configuration files or sometimes use local or service accounts to gain necessary access.  Application accounts are also a target for cyber criminals as they can be easily abused using known vulnerabilities that allow the attackers to gain remote access, modify system binaries, or elevate standard accounts to privileged so they can move around the network.  Most organizations fail to properly patch applications, so attackers can abuse these vulnerabilities all too often.

  1. The silent but deadly “Privileged Data User Accounts”

This is probably the most dangerous privileged access of all.  Yes, this account is a standard user account but has ACCESS to SENSITIVE PRIVILEGED DATA.  Think about the doctor who has access to patient data or the accountant who has access to the financial statements. While these accounts are simply just regular accounts, it’s all about what they have access to.  Privileged Data User accounts are sometimes not monitored or secured like privileged accounts, and the security is focused on the application where the data is stored, but not always.  Organizations must perform a Data Risk Assessment to detect privileged data and secure ALL standard accounts that have access to sensitive data.

These are just a few of the privileged accounts that organizations should prioritize and secure to reduce the risks of them being compromised and abused.

Other privileged accounts are:

  • Root accounts
  • Accounts used to access security solutions
  • Wi-Fi accounts
  • Hardware accounts such as BIOS and vPro
  • Privileged user accounts
  • Network equipment
  • Firewall accounts
  • and even shared privileged accounts.

Learn how you can protect your privileged accounts: Download Thycotic’s Privileged Account Management for Dummies.

[1][StackExchange]
[2][Microsoft | Docs]

Your privileged accounts are a favorite target of hackers.

Free Tool: Discover and secure ALL your Windows privileged accounts fast.

SHARE THIS


The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.