Automating Privileged Account Discovery: The first rule of Information Security says, “You can’t protect what you don’t know you have.” In other words, you could be harboring a hacker as we speak. Let’s examine how automation can be used to discover, catalog and protect the privileged accounts on your network.
In this 5-part Thycotic educational series, we focus on five areas of Privileged Account Management where automation can be utilized to not only reduce the amount of work typically associated with certain IT tasks, but also to significantly improve the security posture of your organization:
You’re reading: Part 1: Account Discovery
Part 2: Changing Network Passwords
Part 3: Team Password Sharing
Part 4: SSH Key Management
Part 5: Compliance Reporting
Why automate at all? With data centers constantly expanding across multiple geographic locations, IT teams are increasing the physical and virtual servers they have to manage. Yet the resources that enable them to accomplish required tasks rarely keep pace with their demands. So it’s not surprising that automating repetitive, rote tasks is a key component of success for any IT Operations group. There are areas where automation efforts are often overlooked; especially for managing the accounts IT teams use every day: non-human privileged accounts and service/application accounts.
Why automate Privileged Account Discovery?
The mantra “You can’t protect what you don’t know you have” rings true for every area of Information Technology management from managing your servers to enforcing your policies. So, it makes sense to examine how automation can be used to catalogue the privileged accounts on your network and record how they’re being used.
Privileged accounts are credentials which have high levels of system permissions that allow access to just about everything, such as a local administrator or root accounts, and accounts that are used to run services and applications. As these high-access privileged accounts are not assigned to a single human user like a standard user account, they’re more difficult to track, more difficult to require a user to change or update their passwords, and much harder to ascertain who is logging into the account.
To complicate the issues even more, privileged accounts are not limited to simply local administrator accounts.
They often, include:
- Windows Local Administrator
- Windows Domain Administrator
- Unix root
- Cisco enable password
- Database administrator credentials (ex. MSSQL sa account)
- Service accounts
- Application administrator accounts
- Corporate social media accounts (ex. YouTube, Twitter, Facebook)
These privileged accounts should have even more protections associated with them than a standard user account, considering their elevated levels of access to critical systems and data. And while many tools exist for account management tasks for normal user accounts, there are few that specifically address the security needs of privileged accounts.
Your privileged accounts are a favorite target of hackers.
Free Tool: Discover and secure ALL your Windows privileged accounts fast.
As privileged accounts are not assigned in a one-to-one relationship with a single human, they are often shared and used by entire teams. And often, any IT administrator can and will create new privileged accounts throughout the day as they spin up new servers or set up new automated network tasks.
Not knowing the extent of your privileged accounts makes it difficult to identify use patterns in audit trails and logs, and therefore these accounts need specialized tools to manage and perform tasks such as:
- Rotating the password on a regular basis (ideally, as often as possible)
- Assigning role-based access controls for who can and cannot use the credential
- Enforcing password complexity policies that go above and beyond standard user requirements (e.g. setting minimum password length to 60 characters)
- Auditing all access to these privileged accounts to verify who has used them and establish accountability for any actions taken
- Temporary access assignment of privileged credentials to help desk or other non-admin staff
Most system admins and security engineers would agree that protecting privileged account passwords—safeguarding the “keys to the kingdom”—should be a top priority for any organization. The challenge in managing privileged accounts properly typically lies in determining where the accounts reside and how they are used. By automating the discovery of your privileged accounts, your system admin or security engineer eliminates the need to manually audit every system, device and application in the organization to identify them, and then determine what rights each account has, and what services and/or tasks it’s associated with. Automating the discovery of privileged accounts avoids digging up every system administrator’s personal spreadsheet or text file containing the user names and passwords for these sorts of accounts.
Using an automated tool which can scan the directory services and systems on your network and identify all of the privileged accounts provides substantial savings in time and effort. Additionally, automated account discovery creates a higher level of accuracy by eliminating the need to manually query individuals and rely on their historical documentation.
Incorporating automated account discovery within a Privileged Account Management tool such as Thycotic Secret Server, allows an administrator to funnel newly discovered accounts into workflows that will also automatically assign roles and permissions to the teams that should have access, as well as applying necessary policies and configuration requirements to these accounts.
Automated Discovery feature in Thycotic Secret Server:
JOIN OUR MAILING LIST
Get updates, free resources and in-depth how-to’s