A privileged account is a login ID on some system which has elevated security rights -- i.e,. is able to perform more tasks and/or access more data than a regular user can do. Privileged accounts are also often shared accounts -- i.e., they do not belong to just one user, but rather are shared by multiple users, who are usually system administrators, database administrators, network managers and the like.
There are broadly three types of privileged accounts in common use:
- Administrator accounts:
There are accounts, often shared by multiple IT users, which are used to establish interactive logins to systems and applications. These logins are used to manage those systems -- apply patches, change configuration, manage users, retrieve log files, etc. Examples include Administrator on Windows, root on Unix/Linux, sa on SQL Server, SYSTEM on Oracle databases, and many others -- at least one per platform.
- Application to application accounts:
These accounts are used by one application to connect, identify and authenticate to another. Common examples include applications used by a web application to connect to a database server, object broker or directory.
- Service accounts:
These accounts provide a security context in which to run unattended processes, such as scheduled tasks, services or "daemons." In the context of this document, we are mostly concerned with the management of Windows service accounts, because -- unlike on other platforms -- on the Windows operating system, to start a process in the security context of a given account, the password for that account must be provided. This creates the need to manage passwords for service accounts on Windows (on other platforms, service accounts normally do not have a password).
Hitachi ID Privileged Access Manager secures privileged accounts on an enterprise scale:
- It periodically randomizes every privileged password.
- Users must sign into Privileged Access Manager when they need to use a privileged account. Multi-factor authentication can be required.
- Privileged Access Manager launches login sessions on behalf of users, without displaying passwords -- single sign-on.
- Logins to privileged user accounts can be recorded, including screen capture and keyboard logging. This creates strong accountability and forensic audit trails.