Just like a great piece of cake, PIM (Privileged Identity Management) has its proper ingredients too. Without the flour, is your cake really cake? Without understanding which accounts in your environment are actually privileged, are you really managing privileged identities? Certainly this is a matter of opinion, as we shouldn’t allow ourselves to operate in an all-or-nothing mindset – things don’t have to be perfect for them to be effective – but the point is that fundamentals make a difference. Cake is better with flour. PIM is better when it understands all the privileged accounts.
I speak with a lot of customers every week about a variety of subjects, including managing privileged access. When I ask them how they’re identifying which accounts should go into their “vaults” (I’m using this term generically), I’m pretty consistently told that they know all of the accounts that need to be controlled. I could buy this for some areas of the network – critical applications, well-known administrative accounts, etc. – but really? You can tell me right now who has Local Admin access to every desktop and server across your enterprise? I highly doubt it.
Are these accounts not privileged? Can they not download software, change configurations, and do whatever they please with the data on the systems they’re applied to? What about Service Accounts? No, not just the ones you’ve named SVC_[Account Name] in Active Directory. You’ve actually gone out to all those desktops and servers and know which accounts are running services across the entire estate? Are they not privileged too?
Let’s admit it. This is a blind spot, and your PIM vendor is not necessarily in the business of figuring this piece out for you. Sure, they’ve got some basic discovery capabilities to get you started, but this isn’t their core competency. They manage the identities. It’s on you to enable your PIM solution to do what it does best; manage the privileged accounts it knows about. Your PIM solution cannot protect the accounts it doesn’t know exist.
Do you know who has Local Administrator rights to each of your systems? Regardless of whether or not you’ve got a PIM solution in place, ponder this question for a while. This is an important one and a blocking and tackling tactic within a solid risk mitigation strategy. If you can whittle down the number of users who have admin access to a system, you drastically mitigate the opportunity for serious threats like Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) to occur because attackers won’t be able to download the software needed (e.g. Mimikatz) to steal the creds of the even more privileged accounts that have likely authenticated to those machines in the past.
If you’re interested, we can help. Check out our free local admin assessment.
As General Manager, Adam is responsible for product lifecycle and market adoption from concept to implementation through to customer success. He is passionate about market strategies, and developing long-term path for success for our customers and partners.
Previously, Adam served as CMO and has held a variety of senior leadership positions at Stealthbits – now part of Netwrix including Sales, Marketing, Product Management, and Operational Management roles where his focus has consistently been setting product strategy, defining roadmap, driving strategic engagements and product evangelism.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply