IS Decisions logo

IS Decisions Blog

Privileged access management for Windows Active Directory domain

Privileged access management (PAM) for Windows Active Directory domain accounts isn't always easy. That’s where UserLock comes in, making it easier to protect any account with privileged access while also enhancing the security of all privileged accounts.

Updated September 6, 2023
Privileged Access Management for Windows Active Directory Domain

When we talk about privileged access management (PAM) for Windows Active Directory, we often mean protecting the most privileged of types of Active Directory accounts: Windows local administrator accounts, domain admin accounts, Active Directory service accounts, and any account with authority over a major part of the network environment.

But the real value of PAM comes when it's used to protect any account with access to critical data, applications, and systems.

In this article, we’ll look at how UserLock helps organizations to do both types of PAM.

What is privileged access management?

Nothing reduces battle-hardened IT leaders to a state of nervous exhaustion as quickly as the words privileged access. What exactly is privileged access? In practice, it's not clear-cut.

While some account types, like enterprise admins, have powerful privileged access, even basic user accounts have some "privileged access," at least enough to do their jobs.

Where you draw the line at what separates "privileged access" from "non-privileged access" will likely depend on your specific organization's security and compliance requirements.

How you manage that "privileged access" fits under the umbrella of privileged access management (PAM).

Least privilege and privileged access management (PAM)

Security today is obsessed with the idea of attack surface, which in a hybrid Active Directory environment is huge. The more user accounts you have, the bigger the attack surface. And the more privileges each user account has, the more damage can be done if access to the account falls into the wrong hands.

One answer to this is the principle of least privilege. Implementing role-based access control (RBAC) limits a user's privileges to only what they need to do their job.

Read more: Least privilege and the value of managing all user logons

How to secure any account with privileged access

Every user has attributed access rights and privileges and is some sort of privilege user.

PAM is obviously used by most organization to protect notably privileged accounts, such as domain and local administrator-type accounts. And yet, in reality, any standard account with access to data that is sensitive, protected, or otherwise valuable (think financial data, intellectual property…) should somehow be equally monitored and, in some cases, denied access should certain criteria be met.

However the use of a traditional PAM solution can’t easily be extended all the way down to every last “non-privileged” user account it adds a burden upon the user as an additional security step, as well as on IT as you’d need yet an even lower level account for the non-privileged to use to authenticate to PAM.

While UserLock doesn’t retain credentials in a vault, providing access to them when requested, it does provide an organization with a protective layer at the logon, ensuring the account isn’t being misused or is compromised.

Using Gartner’s words, it makes it easy for IT to “secure, manage, and monitor” non-privileged access without unnecessarily burdening the user. What’s more by having a layer of security around the use of accounts that are not traditionally considered “privileged” aligns with most organization’s desire to protect accounts with access to critical data, applications, and systems.

Improve non-privileged access security with UserLock

  • Deploy multi-factor authentication
    Administrators can customize the circumstances under which MFA is asked, to avoid prompting the user for a second factor on every connection.

  • Restrict logons with access policies
    Limit when an account can logon, from which machines or devices, using only approved session types, etc. helping to reduce the risk of inappropriate use.

  • Deliver visibility into non-privileged account use
    Traditional PAM solutions can be configured to notify IT when privileged accounts are used. IT needs that same level of real-time visibility into the use of any account, so they are aware of anomalous account behavior.

  • Respond to suspicious access events
    Automated or alert-based response allows an administrator to instantly react and perform corrective actions by remotely locking, logging of or resetting any user session.

How to enhance the security of all privileged account use

To make PAM effective, secure the logon first

Consider the security requirements behind PAM. If we break down the Gartner definition as our requirement set, there are 3 clear points:

  1. Provide privileged access
    You need to ensure the right users have appropriate elevated access to do their job.

  2. Meet compliance requirements
    Having an auditable way to prove only approved access was granted.

  3. Secure, manage and monitor privileged accounts and access
    Keep the accounts locked up, define who can access them, know when they’re used, and be able to respond if accounts are misused.

All of these requirements pivot on a single factor that lies outside of PAM itself the user needs to authenticate themselves first. But many PAM solutions rely on the Windows logon credentials to establish which policies apply and which accounts are accessible to that user. So to make PAM effective, you really need to secure the logon first.

Now, if your PAM solution takes Microsoft at its word that you’re you, it’s a problem. Take the following scenarios in which an internal account is misused:

  • A malicious insider using another user’s credentials
    Nearly half of all employees share their credentials with fellow employees. And it’s not just low-level roles in the organization; employees from key departments like legal, HR, IT, Finance, are included. Should an internal employee decide to perform a malicious act, they could logon, be authenticated by a PAM solution, and be given access to one or more privileged accounts.

  • An external attacker compromises a user’s credentials
    Nearly half of all data breaches involve hacking. And the number one tactic used in hacking is stolen credentials, which makes this scenario all too real. If a PAM solution either does not support or isn’t configured to rotate privileged passwords after each use, and a privileged user logs onto an endpoint, the privileged account credential is stored in the endpoint’s memory. External attackers who obtain an account with local admin rights can extract the credentials from the endpoint’s memory and use it to move laterally within the organization.

In short, if access to a privileged account is given solely based on it being the correct user account, your PAM is insecure. What’s needed is an additional layer of security to stop this kind of credential misuse before PAM ever comes into the picture.

UserLock fills the security gaps in traditional PAM solutions

  • Enable multi-factor authentication
    Used to enhance security around privileged account use by ensuring that only authorized personnel have access to privileged accounts.

  • Restrict privileged account use
    Logons by privileged accounts onto Windows-based machines can be made to fall subject to their own set of restrictions that sit on top of any restrictions PAM enforces (e.g., outrightly restricts domain admin accounts to troubleshoot workstations).

  • Restrict low-level account use
    By limiting which machines, IP addresses and session types an account can log on from, as well as restrict the number of concurrent sessions, organizations can better ensure that the low-level user is logged on from an approved workstation and reduces the likelihood of the low-level account being used by anyone other than the account owner.

  • Monitor all logon activity
    Logon Management can identify when unusual logons of a privileged account occur and can be configured to notify IT personnel.

  • Respond to privileged credential misuse
    Should a PAM not include session management (so privileged accounts are used directly on endpoints and not go through a proxy), with UserLock IT can review the user activity, lock the session, logoff the account, and even disable the account’s ability to logon at all.

Limit the risk associated with any kind of privileged access

Many risks come as a result of privileged access. These risks can come from external attacks or malicious insiders within an organization. Either way, the risks make it important to ensure the security of privileged access at all times.

So, if you're planning a future PAM implementation, or are looking for ways to improve the security of the PAM solution you have and you wish to extend the security as far down the “non-privileged” path as possible, consider securing the logon with UserLock.

With straightforward, effective multi-factor authentication and access management, UserLock makes it easy for IT to secure privileged and non-privileged account access. It's simple for IT to secure, restrict, and respond to privileged account use.

Try UserLock for free

  • 30-day trial
  • Full technical support
  • No credit card required
UserLock screenshot