First, I define privileged access as anything above what
the standard user would get? How do you
control privileged access? Do you allow
your Linux system administrators to have the root password? Do you Windows administrators have the
password for a system account with admin privileges? Or maybe they have domain admin rights
assigned to their personal account.
A while back I attended a presentation about for a
product that stores the passwords for accounts…the assumption is that all
privileged accounts would be stored in this solution along with the
passwords. This system is also capable
of being integrated with AD and your ticketing system so when a user needed the
password, the system would check to make sure there is a valid ticket (incident
or change request) and that the requestor is also in the right AD group. This security solution will also change the
password after a set amount of time from when the password was retrieved. This would seemingly prevent the user from
reusing the password for an unlimited about of time.
While I can see why management and Internal Audit would
love this solution….on the surface it meets the compliance requirements for
controlling access and assists with the change management process. This system is also very useful in storing
passwords that don’t get used very often, thus making sure they are available
in a business continuity situation. However,
does it help a company be secure or does it give a false sense of security?
What are the actual actions performed when the password
is retrieved? The IT guy could retrieve
the password and make any change under the guise of whatever the Incident or
Change ticket talked about. Every
environment has those system accounts where the password is never changed. These accounts tend to have a high level of
privileges and everyone on the team knows the password….so no trouble ticket is
required to use these accounts. I could
go on and on, but you get the point.
What is the solution?
So will argue that the administrators need admin privileges all the time….it
is their job. I don’t necessarily
disagree with that. I believe the
solution lies in monitoring what the privileged accounts are doing. Implementing one of the solutions that
monitors key folders, directories, and files for access and modification is
also needed.
Until next time…
~Skeeter