Privileged Access

Management
Best Practices

Daniel Piazza
Technical Product Manager for the Netwrix PAM solution
Privileged Access Management (PAM)

Traditionally, organizations have maintained dozens, if not hundreds, of privileged accounts to enable essential
administrative tasks in the IT ecosystem. However, these privileged credentials represent a serious security
risk, since they can be taken over by attackers or misused by their owners, either accidentally or deliberately.
Therefore, privileged access management focused primarily on locking down those accounts, resulting in a
complex and never-ending struggle to reduce risk.

Modern privileged access management takes a vastly different approach: providing each admin with just enough
access to perform a specific task and for only as long as it takes to perform that task. This eliminates the need
to have all those standing privileged accounts at all, slashing both management overhead and security risk.
Below, we detail the best practices involved in minimizing the security risks associated with standing privileged
accounts. Then we explore the modern alternative and offer a proven solution for implementing it.

2
Best Practices for Traditional Privileged Account Management

Maintain an up-to-date inventory of all privileged accounts. Be sure to inventory accounts from critical
Active Directory groups, such as Domain Admins, as well as root accounts for *nix servers. But also remem-
ber to include system admins for your mainframe systems; databases; business applications like SAP and
other high-risk applications; and network devices like firewalls, routers and phone switches. The inventory
should identify the owner of each privileged account and their contact information, as well as the system
components the account is associated with and their primary locations in the office. Keep your inventory of
privileged accounts updated and document all changes.

Do not allow admins to share accounts. Hold administrators accountable for their actions by personalizing
their privileged accounts. Use the default administrator, root and similar accounts only when absolutely
necessary; it is better to rename or disable them.

Minimize the number of privileged accounts. Ideally, each admin should have only one privileged account
for all systems.

Create a password policy and strictly enforce it. Follow password best practices, including these:

- Change the password on each device so you are not using the default password.
- Avoid using hard-coded passwords in applications and appliances.
- Require privileged account passwords to be changed regularly to reduce the risk of departing employees
compromising your systems.
- Change the password on each device so you are not using the default password.
- Avoid using hard-coded passwords in applications and appliances.
- Require privileged account passwords to be changed regularly to reduce the risk of departing employees
compromising your systems.
Require multifactor authentication for privileged accounts. Options include hard tokens, soft tokens,
push-to-authenticate/approve, NFC Bluetooth beacons, GPS/location information and fingerprints. A pass-
word alone is not enough.

Limit the scope of permissions for each privileged account. Many privileged accounts have no limits; they
have full access to everything. To minimize risk, you should enforce two key principles:

- Separation of duties — No employee can perform all privileged actions for a given system or application.
- Least privilege — Employees are granted only the bare minimum privileges needed to perform their jobs.

Useful strategies include delegating permissions in Active Directory and setting up role-based access control
(RBAC) in every system that you use.

3
Use privilege elevation best practices. When users need additional access rights, they should follow a
documented request and approval process, either on paper or using a ticket in a privileged access manage-
ment system. Upon approval, elevate the user’s privileges only for the time period required to perform the
specified task. Similarly, IT admins should use their privileged accounts only when they need the elevated
permissions for a specific task; they should use their regular accounts otherwise.

Monitor and log all privileged activity. To reduce the risk of data breaches and downtime, be vigilant about
what actions privileged users are taking by using a variety of logging and monitoring techniques. Implement
traditional security controls, such as firewalls and network access controls, that limit access to systems —
particularly critical systems like your intrusion detection system or identity and access management (IAM)
solution. All of these systems should have logging enabled, and you should also enable system logging of
logon/logoff events and other actions of privileged users. You also need real-time monitoring of privileged
user activity and the ability to alert appropriate staff about critical actions. Creating these alerts requires the
information in the logs to be clear and understandable, which is not the case natively for many computing
platforms; however, you can use IT auditing software that will solve this problem.

Extend your privileged access protection past the firewall. Don’t forget about accounts associated with
social media, SaaS applications, partners, contractors and customers; they should also be protected accord-
ing to your privileged account management policy.

Analyze the risk of each privileged user. Continually use risk assessment to assess the danger each privi-
leged user poses, and focus on investigating and securing the riskiest accounts first.

Bring service accounts under management. Service accounts often have elevated privileges to data and
infrastructure, so they need to be protected through automated management. For example, their passwords
should be frequently rotated without causing any workflow interruptions.

Secure cloud-based privileged accounts. With more workflows shifting to the cloud each year, it’s essential
for the same privileged access management best practices to be used for accounts that give privileged access
to cloud-based on-premises systems and services, such as Azure Active Directory accounts.

Review privileged access rights at appropriate intervals (at least once a month) and regularly review privi-
leged permissions assignment. Document all changes in detail.

Educate users. Give your staff the information they need to succeed, and be sure to update them about
policies and procedures whenever there is a change to their daily routine. Everyone — including not just
admins but all users — should know how to properly manage and use their privileged credentials.

Document your account management policies and practices. Last but certainly not least, make sure
your rules and processes are explicitly written down and signed by management, so everything is clear and
enforceable.

4
Modern Privileged Access Management

Rigorously following all these best practices for dozens or hundreds of privileged accounts is a challenge — and
still leaves organizations with a huge attack surface area, since each account is at risk of being taken over by an
attacker or being misused by its owner. Enter third-generation privileged access management:

Enforce zero standing privilege via ephemeral accounts that have just-enough-privilege. While a stand-
ard best practice is to only elevate privilege when needed, this should be taken a step further by removing
accounts entirely when they’re not needed. The PAM solution should grant administrators the exact level of
privileges needed, exactly when they’re needed, for only as long as they’re needed.

Implement approvals for privileged session requests. For most critical tasks, there should be an approval
workflow in which the privileged session request must be approved or denied by appropriate personnel.

Maintain an audit trail and recordings for all privileged sessions. Organizations needs to track all actions
administrators are taking. Some solutions take this a step further by implementing real-time monitoring and
historic session recording playback capabilities for privileged user tasks.

Next Step: Privileged Account and Activity Management with

a Dedicated Solution

Netwrix SbPAM is a third-generation PAM solution that’s quick to install, has a small footprint, doesn’t require
client-side software and is simple to use. It works equally well for smaller organizations and large enterprises.

SbPAM facilitates secure administrative access and reduces your attack surface. It automatically generates
just-in-time accounts with just enough permissions to accomplish the administrative task at hand, enabling you
to eliminate the threat of having lots of highly privileged accounts and the overhead of controlling them.

5
 Minimize the risk
related to privileged access
with Netwrix privileged access
management software:

Create on-demand accounts that have just enough access for

the task at hand and are deleted automatically afterward.

See exactly what privileged activity is happening across your

systems with live and retrospective session monitoring.

Protect service accounts by rotating their passwords from

one place.

Mitigate the risk of pass-the-hash, Golden Ticket and related

attacks with automatic purging of Kerberos tickets after each
privileged session.

Provide solid proof that privileged activity in your

organization is not creating cybersecurity threats.

Reduce adoption overhead — the Netwrix solution works

with Remote Desktop Connection Manager and Microsoft
LAPS, and you can integrate it with your password vault.

Download Free 30-Day Trial

 About Netwrix

Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000 organi-
zations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise
content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.
For more infroamtion, visit www.netwrix.com.

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539 7