In listening to Brad Bussie’s recent webinar, I learned that securing privileged access is a complex and serious problem for organizations of any size. In a recent cybersecurity study by Praetorian, they ranked privileged system access among the top five most prevalent threats to corporate data. Why? Because system-level access has sprawled significantly over the years and most organizations have no way to govern or clean up privileged access that is no longer needed, making these systems a prime target for attackers. PIM solutions help with this problem but are often implemented using a “line in the sand” approach, neglecting much of the privileged access that already exists across thousands of endpoints.
STEALTHbits has over a decade of experience helping customers understand how administrative access has been granted to their desktop and server infrastructure, and who effectively has these highly privileged access rights. This blog outlines a 5-step process you can follow to bring your systems back under centralized control. It also highlights key reports that provide even deeper insight into critical system-level configurations and conditions that attackers exploit in almost every breach scenario.
5 Steps for Privileged Account Auditing
Step 1: Survey and Analyze
The first step is to scan your systems to get an inventory of what’s out there and who has access to it, e.g., local admin groups, applications, etc. This information will serve as your baseline for prioritizing focus areas.
Step 2: Focus on What Matters Most
The second step is to review your scan findings and define the areas you want to tackle first. These areas can include systems housing critical applications or systems with an excessive number of users that have privileged access rights.
Step 3: Get the Right Stakeholders Involved
The third step is to figure out which stakeholders need to be involved in your auditing efforts by determining who technically “owns” each system. Key stakeholders usually are business owners, data custodians, and local (and other) administrators.
Step 4: Review and Remediate
With stakeholder support and feedback, you can begin securing your systems by removing access privileges that are no longer needed and instantiating ongoing entitlement reviews to ensure only the right people have access at all times.
Step 5: What’s Next?
After you complete steps one through four of your top priorities, begin again at step one with your next set of priorities. Keep repeating the cycle until you have addressed all your systems. Periodic entitlement reviews are the best way to keep systems clean so they do not get out of control again.
Best Practice Reports for Local Systems
StealthAUDIT not only provides deep visibility into administrative access rights but virtually anything else you’d want to know about your Windows desktop and server infrastructure. Our Security Best Practice reports provide key insights based on published attack paths and best practices from Microsoft and other industry experts to help you protect your systems and the data stored on them. You can use the reports below, or customize your own, to find exactly where you’re vulnerable:
- Local Administrators Summary and Detail — identifies users and groups on hosts (direct and effective access), including local admin group membership and membership changes
- Privileged Accounts — shows privileged accounts (local and domain), what their status is, and whether they’re following password change and other security policies
- Services Overview — details what services are running and whether they’re being run by local or domain user accounts; highlights the impact changing a password may have on services
- Scheduled Tasks — displays scheduled tasks and how service account changes, like updated passwords, may disrupt them; also uncovers malicious tasks or vulnerabilities in tasks being run
- Restrict Anonymous Access — checks if anonymous connections are allowed over your network and helps you disable anonymous access so all network connections have to authenticate
- LSA Protection-enabled — determines if you have LSA plug-ins/drivers running to protect your network against host vulnerability tools like mimikatz; helps you enable LSA if it isn’t running
- Microsoft LAPS Overview — verifies that LAPS is working so you can centralize the password management of local privileged accounts, which is critical if you aren’t using a PIM solution
- Security Support Providers — Finds malicious security support providers that allow hacking tools to run in your environment like mimikatz (mimilib.dll) and helps you remove them
- WDigest Settings / Possible Clear text Passwords — discovers if clear text passwords are stored in memory; helps you adjust settings so clear text passwords can no longer be stored
- All Installed Applications — Inventories all your applications to detect malicious and unwanted applications that have been installed, including which user account installed them
- Suspicious PowerShell Commands — uncover suspicious PowerShell commands like token impersonation that often get missed by change auditing tools looking at domain controllers
Find Out More
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Tuula Fai is the Senior Marketing Director of StealthAUDIT at STEALTHbits. For the past 20 years, she has worked in a variety of roles within the software industry, starting as a developer and implementation engineer before moving into product marketing and digital campaigns. Having worked in both customer service and human resources, she is passionate about safeguarding customer and employee data as part of overall security initiatives. She graduated Summa cum Laude from Georgetown with an MBA in marketing and IT, and has won two technology marketing awards. You can find her running and writing in the Rocky Mountains of Colorado.