swipe to navigate

Types of privileged accounts

Privileged accounts, like their name suggests, are accounts designed to provide elevated access to systems and data. They are an integral part of every IT infrastructure and play a key role in a large variety of day-to-day operations, from the management of operating systems and application servers by administrators to providing appropriate security contexts for running services, or securing communication between interdependent business applications.

Because they exist in one form or another in virtually every server, workstation or appliance in the enterprise, the larger the environment, the more challenging it becomes to maintain an accurate repository of information related to these types of accounts. At the same time, due to their privileged nature, they are a prized target for attackers and one of the first items IT auditors focus on when assessing the security posture of an organization. It is therefore crucial for enterprises of any size to implement processes -- be they manual or automated -- for discovering and managing most if not all of their privileged accounts.

From a high level perspective, privileged accounts fall into one of the following three categories:

  1. Administrative accounts:

    These are accounts used to establish interactive login sessions to systems and applications. Often shared by multiple IT people, they provide the administrative access permissions required to install applications, apply patches, change configuration, manage users, retrieve log files, etc.

    Administrative accounts can be further divided based on their access scope:

    • Local administrative accounts:

      These privileged accounts have a more limited scope, since they only provide administrative access to the local host or application on which they reside. Examples of local administrative accounts include members of the local administrators group on a Windows workstation, such as Administrator, the root account on Unix/Linux servers, the sa account on MSSQL Servers or SYSTEM on Oracle databases.

    • Domain administrative accounts:

      These accounts typically provide administrative access to all systems that are members of a given domain. A common example here would be domain accounts that are members of the Domain Admins security group in an Active Directory domain.

  2. Application accounts:

    These accounts are used by one application to connect, identify and authenticate to another. Common examples include accounts used by a web application to connect to a database server or accounts used by a batch script to connect to a web application's API service. Because of their intended purpose, credentials for this type of accounts are often lacking an adequate protection, making them a prime target for attackers.

  3. Service accounts:

    These are non-personal privileged accounts, configured with either local or domain level access, whose purpose is to provide a security context in which to run unattended processes, such as scheduled tasks, services or "daemons."

In addition to privileged accounts, a privileged access management system can also be used to protect some types of accounts that would otherwise pose a security risk, but which do not have elevated security rights:

  1. Shared, high visibility accounts, such as corporate accounts used to post content on social networking platforms such as Facebook or Twitter.
  2. Personal, unprivileged accounts on systems which cannot support corporate password complexity rules, such as legacy mainframe applications.

Security problems

Privileged accounts can pose a variety of security threats to an organization:

Static passwords

Privileged accounts often have passwords that are either never changed or changed infrequently. This creates significant windows of opportunity for abuse:

  1. Attackers have more time to guess or otherwise compromise password values.
  2. If there are legitimate reasons for these passwords to be known to people or made available to programs, there is increased opportunity for misuse of these accounts.

Plaintext passwords

Privileged passwords are often stored as plaintext:

  1. In scripts and configuration files.
  2. In text files or spreadsheets used by human users.

If an attacker gains access to a file containing plaintext passwords, he can subsequently sign into that account and cause harm.

Personal accountability

Privileged accounts are often shared by multiple people. This means that changes made to systems using these accounts cannot be clearly traced back to individual users, since there is no way to tell which of several legitimate users signed into a given account at a given time.

Strong authentication

Privileged accounts on most systems only support one form of authentication, and that is passwords. Multi-factor authentication is often not possible, either at all or in emergency or bootstrapping scenarios where network services are unreachable. This means that even in organizations that deploy multi-factor authentication technologies (tokens, smart cards, etc.), these are not readily applicable to the most powerful accounts.