Privileged Account

Management
Best Practices
Because privileged users have so much power, most organizations have some basic controls in place to limit
or audit their activity. But are you doing everything you should? Here are best practices you can follow to
take control over privilege users across your IT environment.

 Maintain an up-to-date inventory of all privileged accounts. Be sure to inventory accounts from
critical Active Directory groups, such as Domain Admins, as well as *nix servers root accounts. But also
remember to include system admins for your mainframe systems, databases, business applications
like SAP and other high-risk applications, and network devices like firewalls, routers and phone
switches. The inventory should identify the owner of each privileged account, the system component
it is associated with, its primary location in the office, and, ideally, the phone number of the owner.
Keep your inventory of privileged accounts updated and document.

 Do not allow admins to share accounts. Make administrators accountable for their actions by
personalizing their privileged accounts. Use the default administrator, root and similar accounts only
when absolutely necessary; it is better to rename or disable them.

 Minimize the number of personal privileged accounts. Ideally, each admin should have only one
personalized privileged account for all systems.

 Create a password policy and strictly enforce it. Follow password best practices, including these:
- Change the password on each device so you are not using the default password.
- Avoid using hard-coded passwords in applications and appliances.
- Require privileged account passwords to be changed regularly to reduce the risk of departing
employees compromising your systems.
- Never share privileged account passwords or store them in a plain text file; use password
management tools or an encrypted datasheet for this purpose.
- Safeguard privileged accounts by using two-factor authentication. There are many form factors
available — hard tokens, soft tokens, push-to-authenticate/approve, NFC Bluetooth beacons,
GPS/location information, fingerprints and so on. A password alone is not enough.

 Limit the scope of permissions for each privileged account. Many privileged accounts have no limits;
they have full access to everything. To minimize risk, you should enforce two key principles: separation
of duties, which means that no employee can perform all privileged actions for a given system or
application, and least privilege, which means that employees are granted only the bare
minimum privileges needed to perform their jobs. So delegate permissions in Active Directory
and set up role-based access control (RBAC) in every system that you use.

2
 Use privilege elevation best practices. When users need additional access rights, they should follow a
documented request and approval process, either on paper or using a ticket in a privileged access
management system. Upon approval, elevate the user’s privileges only for the time period required to
perform the specified task. Similarly, IT admins should use their privileged accounts only when they
need the elevated permissions for a specific task; they should use their regular accounts otherwise.

 Monitor and log all privileged activity. Be vigilant about what actions privileged users are taking by
using a variety of logging and monitoring techniques. Implement traditional security controls, such as
firewalls and network access controls, that limit access to systems — particularly critical systems like
your intrusion detection system or identity and access management (IAM) solution. All of these systems
should have logging enabled, and you should also enable system logging for all user activity, especially
the logon/logoff events and other actions of privileged users. You also need real-time monitoring of
privileged user activity, and the ability to alert appropriate staff about critical actions. Creating these
alerts requires the information in the logs to be clear and understandable, which is not the case
natively for many computing platforms; however, you can use IT auditing software that will solve this
problem.

 Extend your privileged access protection past the firewall. Don’t forget about accounts associated
with social media, SaaS applications, partners, contractors and customers; they should also be
protected according to your privileged account management policy.

 Analyze the risk of each privileged user.Continually use risk assessment to assess the danger each
privileged user poses, and focus on investigating and securing the most risky ones first.

 Review privileged access rights at appropriate intervals (at least once a month) and regularly review
privileged permissions assignment. Document all changes in detail.

 Educate users. Give your staff the information they need to succeed, and be sure to update them
about policies and procedures whenever there is a change to their daily routine. Everyone — including
not just admins but all users — should know how to properly manage and use their privileged
credentials.

 Document your account management policies and practices. Last but certainly not least, make sure
your rules and processes are explicitly written down and signed by management, so everything is clear
and enforceable.

3
 Perform Thorough
Privileged User Monitoring
with Netwrix Auditor

Easily inventory privileged accounts

Perform privilege attestation for your

administrators

Stay on top of privileged user activity across

your IT environment

Keep an eye on privilege escalation events

Get concrete evidence of privilege abuse

incidents

Download Free 20-Day Trial

8
About Netwrix
Netwrix Corporation is a software company focused exclusively on providing IT security and operations
teams with pervasive visibility into user behavior, system configurations and data sensitivity across hybrid IT
infrastructures to protect data regardless of its location. Over 9,000 organizations worldwide rely on Netwrix
to detect and proactively mitigate data security threats, pass compliance audits with less effort and expense,
and increase the productivity of their IT teams.

Founded in 2006, Netwrix has earned more than 140 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information about Netwrix, visit www.netwrix.com.

Corporate Headquarters:
300 Spectrum Center Drive, Suite 200, Irvine, CA 92618
Phone: 1-949-407-5125 Toll-free: 888-638-9749 EMEA: +44 (0) 203-588-3023 netwrix.com/social