Account management is more than a mundane busywork chore admins must deal with. Control over who can access what in your systems is not only important to productivity, it goes to the very foundation of your IT security. The better you handle account management, the safer your systems will be.
The common account management practices can be divided into three broad classifications — account types, general concepts, and account policy enforcement. While the first and last practices are explained in detail below, general concepts pertain to standard account management practices that are well-known in identity and access management, so they are not explained in further detail.
Internal account types — and the risks they pose
Every user is given a specific access level, and it affects the overall network protection level directly. While it may seem odd to want to protect the network from its own users, it makes sense when you consider that internal users possess the highest level of access to data. This means they can accidentally or intentionally delete or sabotage it. There’s an account management solution, though.
After logging in, companies must display a logon banner statement to indicate the approval of network access under specific conditions.
At the same time, it serves as an indicator that user activities are being monitored closely. This way, the organization successfully covers any legal ramifications and ensures that users follow the expected protocols of the security policy.
Account sharing — a massive risk
There are plenty of IT organizations that use shared accounts in the case of applications, administrators, and privileged users. Unfortunately, such a practice is rife with compliance and security threats. So, securing the account access environment involves eliminating shared account usage.
When you provide each set of access credentials to one principle — it could be either a machine service or a user — you successfully end up measuring each aspect of data access and use. This enables you to successfully create a baseline of acceptable and expected use. Monitoring such baselines for variations helps you detect possible misuse of data access or enterprise resources.
Continuous focus on end-user security training
Internal stakeholders are the biggest risk to your enterprise’s precious data assets. Your best efforts to implement stringent account management practices could still prove insufficient if a careless superuser is able to find ways around the process.
To make sure this doesn’t happen to your business, invest in beginner-level information security training programs for your key users, and depend on them to pass on their learning to their teams. Also, identify security champions who can be enrolled in ethical hacking and other similar information security training sessions.
Horses for courses?
It is important for users in administrative roles to not become reliant on their privileged accounts when accessing their emails and other everyday activities. Otherwise, a sneaky piece of malware encountered in the course of regular business functions can surpass the access control limitations of the accessing account.
Thus, it is a better option to issue such users not only a common account for regular access but a different administrative credential set as well.
This should restrict the span of control when it comes to their operational account. This practice is already prevalent among Linux users, many of whom use sudo (“superuser do”) for performing administrative tasks from their session account.
Understand default installations
Some accounts and groups get default installations. It is your job as an administrator to know what they are. Moreover, service accounts tend to get installed too, so they can interact better with the OS. Normally, local service accounts interact with Windows OS and possess default passwords.
When dealing with personal accounts, administrative accounts should be used only while administering the server. If a user gets this level of access, it could end in disaster.
Why? Because an individual in control of the administrative account is capable of putting the whole business in jeopardy, especially if they access the wrong email or click on a malware-affected link. Plus, you should consider prohibiting the generic accounts commonly used by multiple users.
Once you know the accounts that are the result of the default installation, you can figure out the ones that are actually needed and weed out the ones that add more security to the system. Also, it’s a prudent idea to keep track of accounts that have been installed with well-established (“admin,” for example) or blank passwords.
The common machine accounts found in the web-based access systems are usually targeted for authorized access, especially when left in default configuration settings.
Due to all these complications, blank passwords are not supported by many of the new operating systems. But accounts found in the older operating systems may still use a well-known default or blank password. Apply user rights to security groups to understand which group members can do within the scope of a forest or a domain. User rights are generally given via security options in the case of user accounts.
Account policy enforcement
As a company grows, so do the number of users and systems in each organization. In this kind of a scenario, the enforcement of account policy becomes critical.
Therefore, you should establish account policies that provide your systems with strong security. Keep in mind that account policies are ones that can be configured in group policy.
Importance of credentials
Credentials need to be assigned for some time so that provisioned accounts can be used before their operations are ceased. Workforces with temporary or short-term workers will find this method important as their accounts would otherwise be left unmonitored and intact when they moved to new positions.
These kinds of accounts are preferred targets for brute force attacks on logon passwords, which happen over a lengthy period of time to escape detection and intrusion prevention techniques.
So, irrespective of whether the credential is a complex encryption key or a simple logon password, it must have a built-in lifetime for assured termination in case it is forgotten or lost.
The auditing procedures must clearly display long-term machine and inactive accounts that are expired and reestablished routinely so that exploitation and long-term attacks are limited, especially if there is a chance they might be compromised during the normal period of usage.
Role of account policies in group policy
A wide range of configuration details is stored in group policy objects by Active Directory domains, including policy and password settings. Domains come with their personal password policy along with their local password policy settings. These domain password policies may be used for controlling the password settings.
In the case of Group Policy, the Account Policies settings get applied at the domain level. Thus, the domain Account Policies settings are established as the default local Account Policies settings for any type of Windows-OS based system that is part of the domain. However, there is one exception to the rule when a different Account Policies setting gets defined for an OU or organizational unit.
An OU Account Policies setting affects the local policy of any computer system contained in the OU. At the same time, password policy settings for the domain can be found in the root container for that domain. The default domain policy is connected to the root container.
Account management: Fix what’s lacking
Organizations encounter various threats on a regular basis, both internally and externally. Understanding the critical foundational ideas that establish the building blocks of a company’s information security can help you figure out what’s lacking and where action needs to be taken immediately.
Once you grasp the different modes of authentication, authorization, and learn the best security practices, you will have a thorough understanding of account management.
Featured image: Pixabay