Mitigating the Risk of Compromise of Privileged Access Accounts
The risks posed to unrestricted and restricted privileged access accounts can be substantially mitigated, and reasonably quickly so, with sufficient executive support and a will to mitigate them.
To help organizations worldwide reduce the likelihood of a security breach involving the compromise and subsequent misuse of an unrestricted privileged access account, as well as to help them mitigate the risk posed by Active Directory Privilege Escalation and other attack vectors, the following risk mitigation measures are provided, and their immediate enactment is suggested.
This information is for informational purposes only. PARAMOUNT DEFENSES INC MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THIS INFORMATION.
This information is provided for informational purposes only and cannot be understood as substituting for authoritative technical information furnished by the pertinent official vendor. Reliance upon any information furnished here is at your own risk. Paramount Defenses Inc provides no warranty and makes no representation that the information provided is suitable or appropriate for any situation, and cannot be held liable for any claim or damage of any kind that users of the information furnished in this technical reference may suffer.
Risk Mitigation Measures –
The following is a summary of risk mitigation measures that organizations can implement to mitigate the risk of the compromise of their privileged access accounts and security groups –
- Identify all Active Directory privileged access accounts and groups that have unrestricted access, based on the criteria specified in Correctly Identifying Privileged Access Accounts.
- Reduce the number of these Active Directory privileged access accounts and groups that have unrestricted access to an absolute bare minimum by enacting measure #3 below.
Establish and implement a verifiably secure (least-privilege access (LPA) adherent) administrative delegation model in Active Directory to distribute/delegate all non-vital administrative responsibilities (e.g. for account & group management) amongst a group of lesser privileged IT personnel. It is imperative that your organization be able to precisely audit and verify all administrative delegations at all times. If you have an existing administrative delegation model, audit all delegations to identify and eliminate all existing unauthorized privileged access.
Note > This is the cardinal measure, and it requires the performance of an Effective Privileged Access Audit, which is the only correct way to audit privileged access in Active Directory.
- Establish and implement a separate model for managing unrestricted administrative access accounts and groups, ensuring that they are never managed by lesser privileged individuals.
- Ensure that your organization has the ability to know exactly who is delegated what administrative access on all unrestricted and restricted (delegated) administrative accounts and groups and on all vital Active Directory content that make for lucrative targets (e.g. all executive (C*O) accounts and all security groups protecting high-value IT assets) at all times.
Periodically audit the state of effective access on all unrestricted and restricted administrative access accounts and groups to ensure continuity of adherence to least-privilege access.
At a minimum, at least once a fortnight, audit the state of effective access on all unrestricted administrative access accounts to ensure that only authorized individuals can reset their passwords (/ if in use, disable the use of Smartcards), and on all unrestricted administrative access groups to ensure that only authorized individuals can change their memberships.
- Establish and implement a protocol to ensure that any changes made to security permissions anywhere in Active Directory are assessed, analyzed and approved prior to change.
- Establish and enforce a well-defined set of Secure Administrative Practices for all IT administrative personnel, that include requiring vigilance prior to logging on to specific computers.
- Implement auditing to log and detect the enactment of all sensitive administrative tasks, including password resets and group membership changes, on all accounts, groups and OUs.
- Optionally, consider monitoring the use of all unrestricted administrative access accounts so as to be able to detect and respond to suspicious activity in a timely manner.
The enactment of the above suggested risk mitigation measures can help an organization substantially reduce its exposure to the risk of the compromise of a privileged access account or group.