Why You Have More Admin Accounts Than You Think and Why You Need to Protect Them

Data Theft

We often talk about how administrator accounts are the keys to the kingdom for hackers. And while at times hackers use a blanket-style phishing strategy to snag whomever they can to click an embedded link or attachment, it is really the privileged accounts that are the meaningful targets. There are two reasons for this:

  • Privileged accounts have access to privileged assets such as employee records, customer records and intellectual property. Privileged data has value, which means money in the pockets of an attacker who steals it.
  • Administrator accounts help grease the wheels for malware and malicious code to laterally spread throughout your network because an administrator account opens doors to other devices and applications.

In order to protect your high value assets, you have to first know what those assets are. This is why every organization needs to conduct a risk assessment in order to answer three imperative questions:

  • What sensitive or high value information do we host within our organization?
  • What are the consequences for us if that data is compromised?
  • Which users accounts have access to those assets?

Protecting Privileged Identities

The integration of the cloud and the implementation of mobile computing have permanently changed enterprise security. Traditional perimeter security is no longer enough, in fact, it’s not even close. Today’s enterprises must incorporate a multi-layer security strategy to truly be secure. In short, to protect assets, you must protect identities. Microsoft recommends protecting your privileged identities by making a phased roadmap which you can read about here.

When we think of privileged accounts, we often limit the scope to local admin or network admin accounts. The truth is, you probably have more privilege accounts than you think. Today’s typical enterprises have some combination of the following:

  • Cloud service accounts to administer things like Amazon Web Services (AWS), Office 365 and SaaS applications
  • Identity admins that manage ADFS or SSO services such as Okta.
  • Security and management tool admins
  • Social media account admins
  • Business and system data managers and admins

Not all user accounts are equal, so why do so many organizations protect them all in the same manner? Because some accounts are more important than others and they constitute more risk, which means they need greater protection. There are several ways to provide the required protection.

Stronger Authentication Policies

While an 8-character password length policy may be suitable for most of your users, 8 characters isn’t enough for your highly targeted privileged accounts. Cybersecurity consultants recommend 14 characters. Starting with Server 2012, it is easy to create granular password settings using the Password Settings Container feature of ADAC. Create the supplemental policy and apply it to your privilege accounts.

We are also past an era in which user identities can be protected by a mere password. Thanks to the millions of compromised accounts being recirculated on the dark web along with the advanced credential stuffing attacks levied today, relying on passwords alone subjects your accounts to great risk. Even security questions are no longer safe as hackers regularly troll social media sites looking for information that is typically used for security questions. Multifactor authentication strategies that utilizes a pin, biometrics and/or code generated by a device are pretty much mandatory today.

Diminish Your Attack Surfaces

Ensuring that all of your devices are current in patching and updating is absolutely mandatory. Some of the biggest malware attacks and breaches in the past several years could have been prevented if servers and devices had been properly updated. In addition, hacking techniques are perpetually advancing and as a result, protocols are perpetually becoming vulnerable and outdated. Network admins need to remove legacy and insecure protocols such as SMB 1.0, TLS 1.0, 3DES, etc., and disable any unused services. Many companies are implementing whitelisting in order to prevent ransomware, bank trojans and other types of malware from being installed under the accounts of active users. While the practice of whitelisting can be arduous and time consuming, PolicyPak’s SecureRun™ is a solution to consider as it only allows applications that are properly installed or sanctioned by an authorized administrator to run. Any application or malware strain downloaded by a user simply cannot be installed on their device. Best of all, configuration and implementation is easy.

Administrators that have to manage a cloud service, remote server or management tool should only do so from a fully hardened device and privileged accounts should only utilize their privileged role when performing that function. All administrator and privileged accounts should have a dedicated personal account to check email and surf the internet.

Enforcing Least Privilege

And then there is the obvious — denying local admin rights to standard users. Of course that is difficult to do when many applications, MSI files and control panel applets require these rights. But with Least Privilege Manager, that isn’t a problem. Least Privilege Manager adds the ability to modify access on an application level to accommodate nearly every possible desktop user environment.

This blog post discusses the risk associated with a high number of privileged accounts and how you can protect them with PolicyPak.

Jeremy Moskowitz

Founder & CTO, Microsoft MVP in Group Policy, Enterprise Mobility, and MDM

Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.