Privileged Account Management Practices That Actually Work

Privileged accounts hold the keys to every interesting system in most organisations. The attacker who reaches them controls the environment. The user who casually misuses them creates incidents nobody wants to investigate. The technology to manage them properly has been available for years, the practices are well documented and yet the privileged accounts in many organisations are managed with a discipline that would embarrass an attacker if they had to follow the same standards.

Just-In-Time Beats Standing Privilege

Standing privileged access is the default in most environments and the wrong default for the modern threat landscape. A user who holds permanent administrative rights provides a permanent escalation target for any attacker who reaches their workstation. Just-in-time access grants the same rights for the duration of a specific task, after which the elevated session expires. The user gets the access they need, when they need it, and the standing target disappears. A capable internal network pen testing engagement should explicitly test for standing privileged access and the residual attack paths it produces.

Separate Identities For Separate Purposes

A user who reads email, browses the web and administers domain controllers from the same workstation is providing an obvious attack path. Privileged identities should be separate from day-to-day user identities, ideally with separate workstations that have hardened configurations and no access to the public internet. The administrative overhead is real and largely one-time. The security benefit is durable.

Expert Commentary

William Fieldhouse, Director of Aardwolf Security Ltd

The mature environments I assess all share a habit. The privileged access is genuinely inconvenient to use. It requires logging into a separate workstation, authenticating with stronger factors and accepting that some tasks take longer than they would with standing access. That inconvenience is a feature, not a bug. The convenient approach is also the one that ransomware groups specifically count on.

Break Glass Accounts Need Careful Handling

Every organisation needs break glass accounts that can recover access if the primary authentication system fails. These accounts are definition powerful and definition excluded from some normal controls. Treat them with extreme care. Long randomised credentials. Stored in physical safes or hardware tokens. Used rarely and never for routine work. Audited every time they authenticate. Worth running a quarterly verification that the break glass procedure actually works as intended. The discipline catches the slow drift that otherwise renders the recovery mechanism ineffective at the exact moment you need it to work.

Auditing Has To Be Trustworthy

Privileged session recording, command logging and detailed audit trails all give the organisation the ability to investigate after the fact. They also have the side effect of changing behaviour, because users who know their sessions are recorded tend to act more deliberately. The audit logs themselves need protection, because an attacker who compromises a privileged account often goes after the logs next. Combine these technical controls with a regular best pen testing company that includes the privileged access infrastructure in its scope.

Privileged account management is unglamorous infrastructure work that pays back during every incident. Privileged access management is unglamorous, ongoing and absolutely essential. The teams that take it seriously avoid most of the worst incident outcomes. Authentication is the foundation that the rest of the security model depends on. The teams that invest properly in authentication tend to find that downstream security investments produce better returns, because the foundation is actually solid.