In our last post, we explained that identity has become the new perimeter in today’s cloud-based, mobile-enabled environment. It’s no longer possible to maintain IT assets and applications behind a firewall. Organizations must implement robust identity management and authentication mechanisms to ensure that only authorized users gain access to resources.
Our last post focused on identity and access management (IAM) challenges and how Azure Active Directory Premium can help simplify, automate and fortify IAM. Now, we’ll go a little deeper and examine the critical importance of privileged account security.
The term “privileged account” refers to any credentials that provide administrator-level access to a host system or application. At the highest level are domain admin accounts, which give the user access to domain controllers and the ability to modify other administrative credentials.
Privileged user accounts give an individual the ability access one or more systems. These credentials may include entitlements for domain, server, and/or workstation and device access.
However, many organizations also have local admin accounts that are not specific to an individual, and application accounts that give software access to databases and other applications. These latter types of privileged accounts often have shared credentials that aren’t managed according to security best practices.
Because privileged accounts provide virtually unfettered access to IT resources, they are a prime target of cybercriminals. In a typical attack, hackers gain a beachhead through a phishing attack or social engineering, stealing credentials and moving laterally to compromise more systems. The goal is to move up the privilege chain to gain high-level credentials.
Mitigating these kinds of attacks requires a four-pronged approach:
- Protect privileged accounts and restrict privilege escalation
- Restrict lateral movement across the environment
- Minimize human error through education and ongoing improvement
- Employ advanced threat analytics to detect attacks
Microsoft provides several tools to aid in privileged account protection. Privileged Access Workstation (PAW) uses a suite of Windows security technologies to create a hardened physical environment that protects privileged accounts from remote attacks and physical compromise. It also provides many of the tools sysadmins commonly need, such as Remote Server Administration Tools, Systems Internal Suite and Microsoft System Center consoles.
Microsoft recommends that administrators use a dedicated, PAW-hardened PC for privileged access, minimizing the risk that web browsing and other basic user activities will compromise privileged credentials. However, administrators may opt to run a user PC as a virtual machine inside the PAW PC to eliminate the need to carry two devices.
Privileged Access Management (PAM) is a new Active Directory (AD) feature that was introduced with Windows Server 2016. PAM uses Microsoft Identity Manager (MIM) to create a separate AD forest for privileged accounts so that privilege escalation can be managed and controlled.
Local Administrator Password Solution (LAPS) stores the passwords of domain-joined systems in AD Access Control Lists. LAPS restricts lateral movement by ensuring that unique, randomly generated passwords are used for local admin accounts across the environment. Because passwords are automatically stored to AD, LAPS enhances security while simplifying password management.
Because humans are always the weakest link in the security chain, user training and continuous process improvement play a critical role in protecting the environment. AdaptivEdge can assess your environment and help you develop a strategic plan for mitigating security risks.
Our next post will look at the use of advanced threat analytics for detecting malicious attacks.
Written and composed by one of our Microsoft System Engineers, Raul R. Perez II