Administrative or privileged accounts are the holy grail for threat actors because they are the proverbial and literal keys to the kingdom.
Since Windows Active Directory is the most popular network operating system, we'll focus our efforts on domain environments.
For IT administrators of a certain age, there are certain hard-to-break habits that persist. These include granting end users local administrator rights, making certain users e.g. managers Domain Admins, and the most egregious in my opinion, making their own user accounts a Domain Admins.
This can be quite an expansive topic so we're going to focus on certain fundamentals to get the proverbial party started:
- Set aside the default Domain Administrator account with a strong password kept under lock and key
- Minimize privileged account sprawl
- Enforce separate user and admin accounts for IT staff
- Require multifactor authentication (MFA) for all privileged accounts
- Monitor for and alert on undesirable privileged account activity
- Monitor for and alert on privileged user group changes
Minimize the following key metrics for best results:
- # of accounts with administrative permissions
- # of privileged accounts without MFA enabled
- # of privileged accounts with passwords older than 1-year (your mileage may vary)
- # of inactive privileged accounts i.e. with no logon in last 30-days
- Frequency that the default Administrator account has been used
- Frequency that privileged user groups have been changed
- Frequency of privileged account failed logins, lockouts, unlocks, and password resets
We could go on and on with regards to auditing. Seriously we could go on and on, and will do so at a later time. For now, this should get you started on the straight and narrow.
Image Source: Adobe Firefly Generative AI