5 Steps for Adopting Privileged Local Account Auditing Best Practices

In listening to Brad Bussie’s recent webinar, I learned that securing privileged access is a complex and serious problem for organizations of any size. In a recent cybersecurity study by Praetorian, they ranked privileged system access among the top five most prevalent threats to corporate data. Why? Because system-level access has sprawled significantly over the years and most organizations have no way to govern or clean up privileged access that is no longer needed, making these systems a prime target for attackers. PIM solutions help with this problem but are often implemented using a “line in the sand” approach, neglecting much of the privileged access that already exists across thousands of endpoints.

Stealthbits has over a decade of experience helping customers understand how administrative access has been granted to their desktop and server infrastructure, and who effectively has these highly privileged access rights. This blog outlines a 5-step process you can follow to bring your systems back under centralized control. It also highlights key reports that provide even deeper insight into critical system-level configurations and conditions that attackers exploit in almost every breach scenario.

5 Steps for Privileged Account Auditing

Step 1: Survey and Analyze

The first step is to scan your systems to get an inventory of what’s out there and who has access to it, e.g., local admin groups, applications, etc. This information will serve as your baseline for prioritizing focus areas.

Step 2: Focus on What Matters Most

The second step is to review your scan findings and define the areas you want to tackle first. These areas can include systems housing critical applications or systems with an excessive number of users that have privileged access rights.

Step 3: Get the Right Stakeholders Involved

The third step is to figure out which stakeholders need to be involved in your auditing efforts by determining who technically “owns” each system. Key stakeholders usually are business owners, data custodians, and local (and other) administrators.

Step 4: Review and Remediate

With stakeholder support and feedback, you can begin securing your systems by removing access privileges that are no longer needed and instantiating ongoing entitlement reviews to ensure only the right people have access at all times.

Step 5: What’s Next?

After you complete steps one through four of your top priorities, begin again at step one with your next set of priorities. Keep repeating the cycle until you have addressed all your systems. Periodic entitlement reviews are the best way to keep systems clean so they do not get out of control again.

Best Practice Reports for Local Systems

StealthAUDIT not only provides deep visibility into administrative access rights but virtually anything else you’d want to know about your Windows desktop and server infrastructure. Our Security Best Practice reports provide key insights based on published attack paths and best practices from Microsoft and other industry experts to help you protect your systems and the data stored on them. You can use the reports below, or customize your own, to find exactly where you’re vulnerable:

• Local Administrators Summary and Detail — identifies users and groups on hosts (direct and effective access), including local admin group membership and membership changes
• Privileged Accounts — shows privileged accounts (local and domain), what their status is, and whether they’re following password change and other security policies
• Services Overview — details what services are running and whether they’re being run by local or domain user accounts; highlights the impact changing a password may have on services
• Scheduled Tasks — displays scheduled tasks and how service account changes, like updated passwords, may disrupt them; also uncovers malicious tasks or vulnerabilities in tasks being run
• Restrict Anonymous Access — checks if anonymous connections are allowed over your network and helps you disable anonymous access so all network connections have to authenticate
• LSA Protection-enabled — determines if you have LSA plug-ins/drivers running to protect your network against host vulnerability tools like mimikatz; helps you enable LSA if it isn’t running
• Microsoft LAPS Overview — verifies that LAPS is working so you can centralize the password management of local privileged accounts, which is critical if you aren’t using a PIM solution
• Security Support Providers — Finds malicious security support providers that allow hacking tools to run in your environment like mimikatz (mimilib.dll) and helps you remove them
• WDigest Settings / Possible Clear text Passwords — discovers if clear text passwords are stored in memory; helps you adjust settings so clear text passwords can no longer be stored
• All Installed Applications — Inventories all your applications to detect malicious and unwanted applications that have been installed, including which user account installed them
• Suspicious PowerShell Commands — uncover suspicious PowerShell commands like token impersonation that often get missed by change auditing tools looking at domain controllers

Find Out More

Check out our Credential and Data Security Assessment free trial by clicking here. If you need assistance, please contact sales@stealthbits.com.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*