Privileged Access Management – What is a Privileged Account

Privileged Access Management (PAM) is usually a consideration for the CISO and his or her security team. There are many technical solutions to control privileged access but all of them start with what should be a simple task of identifying the privileged accounts.

privileged access management - ad banner

I was asked to help a Privileged Access Management project to identify accounts that had privileges at the infrastructure layer on a number of Windows and Unix servers.

For Unix I considered the account to be privileged if it was a member of any of these groups

  • system
  • bin
  • cron
  • audit
  • ip

In addition to looking at group memberships I also had to extract the sudoers file and look for elevated privileges. My sudoers files also nested other files and groups so it took some work to unravel the totality of the Unix privileges. I also looked at accounts that owned jobs run under Cron.

For Windows servers the groups that I considered to be privileged were:

  • Administrators
  • Backup Operators
  • Cryptographic users
  • Guests
  • IIS/USRS
  • Network Config Operators
  • Performance Log users
  • Performance Monitor Users
  • Power Users
  • Remote Desktop Users
  • Replicator

In addition, I scanned these servers for accounts used as Windows Service accounts and Windows Scheduled tasks.

I had a number of challenges. The first was identifying a tool that could cope with the complex Active Directory set up. Recursive nested groups were an issue and I ended up writing a powershell script to extract all members of the groups and sub-groups that ignored recursive groups calls (e.g. group A members includes Group B and Group B members includes group A).

Secondly I had an issue with a location to run the discovery that had access to all servers in different security enclaves. I ran from a number of DCs and admin servers that accessed all vlans.

Finally when it came to clearing up old accounts, there were many that were just referred to by a SID – i.e. the account had been deleted leaving a SID in the group. For Unix servers I also had to think about re-assigning file ownership when deleting accounts.

Further Reading

As an Amazon Associate I may be paid commission for qualifying purchases