Home » Security Bloggers Network » The 7 Deadly Privileged Accounts You MUST Discover, Manage, and Secure

The 7 Deadly Privileged Accounts You MUST Discover, Manage, and Secure

by Joseph Carson on December 14, 2021

Privileged accounts and privileged access are at the heart of every business today. They ensure that the IT team can administer and manage the organization’s systems, infrastructure, and software, and they enable employees to access the data that enables them to make critical business decisions.

Not only are most businesses dependent on privileged accounts, but they are also the accounts most likely to be targeted by cyber criminals or abused by malicious insiders. This is because they allow the attackers to easily move around the network, accessing critical systems and sensitive data while remaining undetected and cleverly hiding their tracks.

What is a privileged account?

Privileged accounts are the building blocks for managing our software and hardware networks. They should be distinguished from a typical user account that represents a human identity, such as an Active Directory user account with an associated password to restrict access. There is usually a single account password per human user. It’s also common to have shared privileged accounts used by a department or group of people to access applications or systems.

A privileged account can be human or non-human and does not necessarily represent a human user. Privileged accounts provide administrative or specialized levels of access based on higher levels of permissions that are shared. Some types of non-human high privileged accounts are application accounts used to run services requiring specific permissions. In many cases, user accounts can also have elevated, or administrative privileges delegated to them.

Privileged accounts provide the ability to make system and software configuration changes, perform administrative tasks, create and modify user accounts, install software, backup data, update security and patches, enable interactive logins, and of course, access privileged data. All these activities are crucial to ensure the business can function, keeping systems and software running.

Sponsorships Available

Don’t assume that privileged accounts are directly aligned to employees’ jobs

Privileged accounts are typically limited to employee roles within the business, but can sometimes be mapped to users’ accounts independent of their role. This can be a big mistake—don’t assume that privileged accounts are directly aligned to employees’ jobs. Privileged accounts can be used by many different entities. For example, IT administrators, security teams, helpdesk workers, 3^rd party contractors, application owners, database administrators, operating systems, and services accounts, to name a few.

Privileged accounts can be found all over the organization’s infrastructure regardless of physical location, including on-premise, in the cloud, and for accessing SaaS applications. Common locations for privileged accounts are default credentials in servers, endpoints, and operating systems. They can also be found in virtual environments, software, cloud environments, databases, service accounts, and within most applications. These are just a few examples. However, this demonstrates that privileged accounts can be found practically everywhere within an organization, and often an organization will find they will have up to five times the number of privileged accounts than they have systems.

Many organizations are struggling with cyber fatigue—a state of being overwhelmed by cyber security responsibilities—as a result of the sheer volume of passwords and credentials that employees need to maintain and remember. This is a serious issue across the business and impacts not just the IT team but the security team and all employees who need to access multiple systems and applications. One thing that is clear is that humans are not great at choosing strong passwords. We must move passwords into the background by leveraging solutions such as password managers or privileged access management software. This helps automate many of the security controls for protecting privileges such as passwords.

Failure to keep privileged access security up to date has resulted in financial loss for many organizations

In addition to cyber fatigue, businesses face the challenge of keeping privileged access up to date, especially when employees’ roles change or when they leave the organization. Failure to do so has resulted in financial loss for multiple organizations when privileged accounts have subsequently been compromised and abused.

In recent times, cyber criminals have taken advantage of poorly protected privileged accounts. The result? Many organizations have fallen victim to ransomware, bringing business to a complete standstill and costing millions of dollars. Service accounts also present a challenge as they historically get configured with a static password that doesn’t expire and never gets changed.

Therefore, it’s imperative that all types of privileged accounts are managed, protected, and secured. So, which accounts are considered privileged accounts? I have listed the ‘7 Deadly Privileged Accounts’ that all organizations must discover, manage and secure in order to reduce their business security risk.

7 Types of Privileged Accounts that are Deadly if not Secured

The King of Accounts “Domain Admin Accounts”

I think of this type of privileged accounts as the “god” account—the account that can do almost everything. Yes, the Domain Admin account has FULL access and control of the AD Domain. This group is, by default, a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, always add users with extreme caution, full audit, and approval.[1]

These accounts should be restricted as much as possible; access and usage of these accounts must be granted strictly on an “on-demand” basis, with additional security controls in place to prevent unauthorized use. All activity should be fully audited and monitored. Attackers commonly abuse these accounts using techniques such as pass-the-hash so they can easily move around the network.

The challenging and scary “Domain Service Accounts”

These accounts bring multiple systems and applications together so they can communicate and gain access to needed resources, usually to run reports, access databases, or call API’s. These accounts tend to be problematic, especially when changing the password, which in almost all situations breaks the application(s) until the account is synced across the environment. These challenging and scary moments mean most organizations have a “do not touch that password” policy on these accounts or have detailed processes on how to handle them. The accounts are typically used for backup solutions, analytical solutions, software deployment, and updating security patches.

The forgotten “Local Administrator Accounts”

Sometimes called the forgotten privileged account—the one that many organizations simply give to all employees, and the one that all cyber criminals target to get one foot in the door allowing them to discover and size up an organization’s security and defenses. These shared privileged accounts are the main culprits for employees being over-privileged.

The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems.

For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users and assign user rights and access control permissions. The Administrator account can also be used to take control of local resources at any time simply by changing the user rights and permissions.

The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.”[2]

Chances are you have privileged accounts you’re not aware of. A quick scan of your environment with our Privileged Account Discovery Tool will pinpoint your vulnerabilities.

The help me “Emergency Accounts”

These accounts are typically disabled by default until a critical incident occurs, then certain users need to have privileged access to restore systems, services, or even respond to cyber incidents. These are only used in emergency scenarios—usually known as “break the glass”—when normal services are not available. For example, during a cyber incident, these emergency accounts are used to access systems in order to conduct digital forensics and reduce contaminating log evidence. They can also be used to restrict compromised accounts from being continuously abused.

The hidden and forever “Service Accounts”

Service accounts are typically used in operating systems to execute applications or run programs, either in the context of system accounts (high privileged accounts without any password) or a specific user account, usually created manually or during software installation. On Unix and Linux they are often known as init or inetd, and can also launch programs. Service accounts usually are not permitted to log on to systems, however, they tend to have passwords that never change, nor do these accounts expire. The accounts are commonly abused by cyber criminals who find ways to break them so they can run their own binaries at elevated privileges, allowing remote access for the attacker.

The elevated “Application Accounts”

Application accounts are routinely used to ensure an application has access to the resources it needs to function, such as databases, networking, automated tasks (like deploying software), automated updates, and the ability to make configuration changes. These accounts typically keep passwords in configuration files or sometimes use local or service accounts to gain necessary access. Application accounts are also a target for cyber criminals as they can be easily abused using known vulnerabilities that allow the attackers to gain remote access, modify system binaries, or elevate standard accounts to privileged so they can move around the network. Most organizations fail to properly patch applications, so attackers can abuse these vulnerabilities all too often.

The silent but deadly “Privileged Data User Accounts”

This is probably the most dangerous privileged access of all. Yes, this account is a standard user account but has ACCESS to SENSITIVE PRIVILEGED DATA. Think about the doctor who has access to patient data or the accountant who has access to the financial statements. While these accounts are just regular accounts, it’s all about what they have access to. Privileged Data User accounts are sometimes not monitored or secured like privileged accounts, and the security is focused on the application where the data is stored, but not always. Organizations must perform a Data Risk Assessment to detect privileged data and secure ALL standard accounts that have access to sensitive data.

These are just a few of the privileged accounts that organizations should prioritize and secure to reduce the risks of them being compromised and abused.

Other types of privileged accounts are: