← Go back to the Active Directory Security Glossary
Privileged Access
In Active Directory, nothing reduces battle-hardened IT veterans to a state of nervous exhaustion as quickly as the words privileged access. In truth, the concept is ambiguous.
Although some types of account – enterprise admins, say – have powerful privileged access, even basic user accounts need some access or their jobs would become impossible. The point is this should never be carte blanche. All access must be monitored and allowed or denied depending on context from the enterprise admins at the top of the hierarchy to the guest users at the bottom.
Out of the box, Active Directory doesn’t make managing this as easy as it could be, hence the blossoming of privileged access management (PAM) features in products such as IS Decisions’ UserLock.
Least privilege
Security today is obsessed with the idea of the attack surface, which in Active Directory is huge. In Active Directory, the attack surface starts with accounts. The more accounts, the bigger the attack surface. The more privileges each user has, the more damage they can do if their credentials fall into the wrong hands.
What’s the solution? One answer is least privilege. Implemented role-based access control (RBAC), this limits a user’s privileges to only what they need to do their job. But getting least privilege right can be tricky; users never seem to have enough and ask for more. At some point, somebody has to say no.
Read more:
Least privilege and the value of managing all user logons
Auditing logon events: Why stop there?
Privilege escalation
If the first stage of an attack on Active Directory is to compromise credentials, the next job is to elevate privileges. Discussions around privilege escalation often focus on accounts with the highest privileges, which put the Domain Controller in peril.
However, even accounts with low privileges can give an attacker a foothold to look for weak spots inside the network by running system enumeration commands or exploiting weak credentials.
All account compromise is dangerous and privilege escalation is the fuel for much bigger problems later on.
Read more: Privileged access management for Windows Active Directory domain
Overprivileged service accounts
Service accounts are accounts used by applications and services to do useful scheduled or automated tasks within Active Directory.
Unavoidably, applications need a lot of access privileges, including the ability to access user information, modify attributes, create and delete objects, and numerous other admin tasks. Indubitably, this is a security risk. Organizations also often have too many of them or forget to remove old ones. Insanely, they are even sometimes added to the Domain Admins group.
Think of over-privileged (or under-managed) service accounts as an attacker’s best friend.
Read more: Privileged access management for Windows Active Directory domain