Privileged Access Management for Windows Active Directory Domains

Protect any Windows account with privileged access

Many risks come as a result of privileged access. These risks can come from external attacks or malicious insiders within an organization. Either way, the risks make it important to ensure the security of privileged access at all times.

Privileged Access Management (PAM) is primarily seen as being used to protect the most privileged of accounts – Windows local administrator accounts, domain admin accounts, Active Directory service accounts, and anything that has rule over a major part of the network environment. But the real value of PAM is realized when it’s used to protect any account with access to critical data, applications, and systems. Any account with access to data that is sensitive, privileged, protected, or otherwise valuable should somehow be equally monitored and, in some cases, denied access should certain criteria be met.

Here we look at how Login Management helps organizations to protect both. It makes it easy for IT to secure non-privileged account access and simultaneously enhances the security PAM puts in place by augmenting IT’s ability to restrict and respond to privileged account use.

Logon Management for Windows Active Directory

IS Decisions logon management solution, UserLock, provides a comprehensive layer of security over Windows-based networks at logon. Using a mixture of enforceable logon policies, alerting, and response actions, UserLock uniquely empowers IT organizations to limit the risk associated with any kind of privileged access.

1. Secure any kind of privileged access

Every user has attributed access rights and privileges and is some sort of privileged user. (Think financial data, intellectual property…). However the use of a PAM solution can’t easily be extended all the way down to every last “non-privileged” user account – it adds a burden upon the user as an additional security step, as well as on IT – as you’d need yet an even lower level account for the non-privileged to use to authenticate to PAM.

Logon Management takes that burden away from both sets of users. It ensures all accounts can’t be misused. It makes it easy for IT to “secure, manage, and monitor” (using Gartner’s words) “non-privileged” access without burdening the user.

Enhance security around ‘non-privileged’ access

PAM is obviously used by most organization to protect notably privileged accounts, such as domain and local administrator-type accounts. And yet, in reality, any account with access to data that is sensitive, privileged, protected, or otherwise valuable should somehow be equally monitored and, in some cases, denied access should certain criteria be met.

For example, the user account for the head of Sales doesn’t seem particularly “privileged”, but it does have complete access to your customer database.

So, having a layer of security around the use of that account – and accounts like it that are not traditionally considered “privileged” – aligns with most organization’s desire to protect accounts with access to critical data, applications, and systems.

The Role of Logon Management

While Logon Management doesn’t retain credentials in a vault, providing access to them when requested, it does provide an organization a protective layer at the logon, ensuring the account isn’t being misused or is compromised.

Logon Management enhances non-privileged access security by:

  • Restricting Logons with Access Policies – Restrictions can be established to limit when an account can logon, from which machines, devices or IP addresses, using only approved session types and no concurrent sessions, etc. helping to reduce the risk of inappropriate use.
  • Delivering Visibility into non-privileged account use – PAM can be configured to notify IT when privileged accounts are used. IT needs that same level of real-time visibility into the use of accounts like the previously-mentioned Sales account, so they are aware of anomalous account behavior – like logging on at 9:45pm on a Friday night – that may indicate a potential threat.
  • Responding to credential misuse – Automated or alert-based response to any user activity found to be inappropriate by remotely locking, forcing a log off or resetting any Windows sessions.

2. Better protect the most privileged users (system/admin accounts)

Consider the security requirements behind PAM. If we break down the Gartner definition as our requirement set, there are 3 clear points:

  1. “To provide privileged access” – You need to ensure the right users have appropriate elevated access to do their job.
  2. “Meet compliance requirements” – Having an auditable way to prove only approved access was granted.
  3. “Secure, manage and monitor privileged accounts and access” – Keep the accounts locked up, define who can access them, know when they’re used, and be able to respond if accounts are misused.

All of these requirements pivot on a single factor that lies outside of PAM itself – the user needs to authenticate themselves first. But many PAM solutions rely on the Windows logon credentials to establish which policies apply and which accounts are accessible to that user.

So, to make PAM effective, you really need to secure the logon first.

Logon: The Foundation for Secure PAM

If your PAM solution takes Microsoft at its word that you’re you, it’s a problem. Take the following two scenarios in which an internal account is misused:

  1. A malicious insider using another user’s credentialsNearly half of all employees share their credentials with fellow employees1. And it’s not just low-level roles in the organization; employees from key departments like legal, HR, IT, Finance, are included. Should an internal employee decide to perform a malicious act, they could logon, be authenticated by a PAM solution, and be given access to one or more privileged accounts.
  2. An external attacker compromises a user’s credentials – Nearly half of all data breaches involve hacking. And the number one tactic used in hacking is stolen credentials2, which makes this scenario all too real. Attackers are wise to the kind of security solutions in use today, so it’s not a stretch to think they may look for access to a PAM solution to see if they can access privileged accounts.

In short, if access to a privileged account is given solely based on it being the correct user account, your PAM is insecure. What’s needed is an additional layer of security to stop this kind of credential misuse before PAM ever comes into the picture.

Securing PAM with Logon Management

Logon Management solutions provide added protection by monitoring Windows logons, leveraging policies, workflow, alerting, and responsive actions to keep IT aware of abnormal logons and in control of logons should they need to respond to an issue.

In essence, by layering PAM with Logon Management, you provide IT with a needed layer of visibility into whether a logon is appropriate or not before access to privileged accounts is granted.

There are two ways Logon Management helps PAM:

1) Logon Management implements restriction not necessarily found in PAM

PAM solutions have their own restrictions around the access to and use of privileged accounts. For example, a particular user may only be able to access one specific privileged account during business hours. And, while PAM solutions may have their own set of restrictions, most pertain to where and when a privileged account can be used, and do not put any restriction on the low-level account.

The Role of Logon Management

Restrictions help to lower risk and reduce the threat footprint. The closer to a true state of Least Privilege an organization can come, the closer they are to all but eliminating the risk of privileged account misuse.

Logon Management can be used to enhance security around privileged account use by:

  • Restricting low-level account use – by limiting which machines, IP addresses and session types an account can log on from, as well as restrict the number of concurrent sessions, organizations can better ensure that the low-level user is logged on from an approved workstation and reduces the likelihood of the low-level account being used by anyone other than the account owner.
  • Restricting privileged account use – logons by privileged accounts onto Windows-based machines can be made to fall subject to their own set of restrictions that sit on top of any restrictions PAM enforces. E.g. Out rightly restricts domain admin accounts to troubleshoot workstations.

2) Logon management protects against compromised credentials

If a PAM solution either does not support or isn’t configured to rotate privileged passwords after each use, and a privileged user logs onto an endpoint, the privileged account credential is stored in the endpoint’s memory. External attackers who obtain an account with local admin rights can extract the credentials from the endpoint’s memory and use it to move laterally within the organization.

The Role of Logon Management

Monitoring of logon activity can be helpful to identify abnormal privileged account activity outside that of a PAM solution and, potentially, take action should misuse be detected.

Logon Management can protect against compromised credentials by:

  • Monitoring of all logon activity – Logon Management can identify when unusual logons of a privileged account occur and can be configured to notify IT personnel.
  • Respond to privileged credential misuse – Should a PAM not include session management (so privileged accounts are used directly on endpoints and not go through a proxy), Logon Management can be used by IT to review the user activity, lock the session, logoff the account, and even disable the account’s ability to logon at all.

Using UserLock to Make PAM More Secure

With external attacks, phishing scams, and malware infections on the rise, organizations are looking for ways to protect privileged access – the gateway to an organization’s most valuable data.

Logon Management with UserLock makes it easy for IT to “secure, manage, and monitor” non-privileged access without burdening the user. It simultaneously enhances the security PAM puts in place by augmenting IT’s ability to restrict and respond to privileged account use.

So, as you either plan for a future implementation of PAM, or are looking for ways to improve the security of the PAM solution you have – and you wish to extend the security as far down the “non-privileged” path as is possible, consider looking at securing the logon by utilizing Logon Management.

1 IS Decisions, Insider Threat Persona Study (2017)
2 Verizon, Data Breach Investigations Report (2018)