Privileged Account Management Best Practices
Because privileged users have so much power, most organizations have some basic controls in place to limit or audit their activity. But are you doing everything you should? Here are best practices you can follow to take control over privilege users across your IT environment.
- Maintain an up-to-date inventory of all privileged accounts. Be sure to inventory accounts from critical Active Directory groups, such as Domain Admins, as well as *nix servers root accounts. But also remember to include system admins for your mainframe systems, databases, business applications like SAP and other high-risk applications, and network devices like firewalls, routers and phone switches. The inventory should identify the owner of each privileged account, the system component it is associated with, its primary location in the office, and, ideally, the phone number of the owner. Keep your inventory of privileged accounts updated and document all changes.
- Do not allow admins to share accounts. Make administrators accountable for their actions by personalizing their privileged accounts. Use the default administrator, root and similar accounts only when absolutely necessary; it is better to rename or disable them.
- Minimize the number of personal privileged accounts. Ideally, each admin should have only one personalized privileged account for all systems.
- Create a password policy and strictly enforce it. Follow password best practices, including these:
- Change the password on each device so you are not using the default password.
- Avoid using hard-coded passwords in applications and appliances.
- Require privileged account passwords to be changed regularly to reduce the risk of departing employees compromising your systems.
- Never share privileged account passwords or store them in a plain text file; use password management tools or an encrypted datasheet for this purpose.
- Safeguard privileged accounts by using two-factor authentication. There are many form factors available — hard tokens, soft tokens, push-to-authenticate/approve, NFC Bluetooth beacons, GPS/location information, fingerprints and so on. A password alone is not enough.
- Limit the scope of permissions for each privileged account. Many privileged accounts have no limits; they have full access to everything. To minimize risk, you should enforce two key principles: separation of duties, which means that no employee can perform all privileged actions for a given system or application, and least privilege, which means that employees are granted only the bare minimum privileges needed to perform their jobs. So delegate permissions in Active Directory and set up role-based access control (RBAC) in every system that you use.
- Use privilege elevation best practices. When users need additional access rights, they should follow a documented request and approval process, either on paper or using a ticket in a privileged access management system. Upon approval, elevate the user’s privileges only for the time period required to perform the specified task. Similarly, IT admins should use their privileged accounts only when they need the elevated permissions for a specific task; they should use their regular accounts otherwise.
- Monitor and log all privileged activity. Be vigilant about what actions privileged users are taking by using a variety of logging and monitoring techniques. Implement traditional security controls, such as firewalls and network access controls, that limit access to systems — particularly critical systems like your intrusion detection system or identity and access management (IAM) solution. All of these systems should have logging enabled, and you should also enable system logging for all user activity, especially the logon/logoff events and other actions of privileged users. You also need real-time monitoring of privileged user activity, and the ability to alert appropriate staff about critical actions. Creating these alerts requires the information in the logs to be clear and understandable, which is not the case natively for many computing platforms; however, you can use IT auditing software that will solve this problem.
- Extend your privileged access protection past the firewall. Don’t forget about accounts associated with social media, SaaS applications, partners, contractors and customers; they should also be protected according to your privileged account management policy.
- Analyze the risk of each privileged user. Continually use risk assessment to assess the danger each privileged user poses, and focus on investigating and securing the most risky ones first.
- Review privileged access rights at appropriate intervals (at least once a month) and regularly review privileged permissions assignment. Document all changes in detail.
- Educate users. Give your staff the information they need to succeed, and be sure to update them about policies and procedures whenever there is a change to their daily routine. Everyone — including not just admins but all users — should know how to properly manage and use their privileged credentials.
- Document your account management policies and practices. Last but certainly not least, make sure your rules and processes are explicitly written down and signed by management, so everything is clear and enforceable.