Controlling privileged access is a lot like mowing the lawn. It’s much easier to just keep it short and cut it every week, but sometimes it’s easy to forget about it for one week… and then two… until it’s all overgrown with weeds and rodents and needs considerable work to get back to it’s easily maintainable state.
Industry statistics show that many organizations have let their privileged accounts grow out of control. 81% of hacking related breaches involved stolen credentials while 50% of organizations don’t even audit their privileged accounts. This is why large organizations are constantly making headlines for security slip-ups – privileged accounts and users are a liability that are often overlooked and misunderstood.
The first step to regaining control of the situation is to discover the privileged accounts on your network by conducting a privileged account audit.
Before conducting a privileged account audit, it’s important to understand why the problem exists in the first place. IT is tasked with managing the different privileged access needs for potentially thousands of users across their entire network. Properly provisioning, revoking, and monitoring this access is a complex task that is impractical to do manually (which is the method that 66% of organizations rely on, according the State of PAM survey).
Looking for a quick fix – or sometimes, out of pure necessity and lack of a better option – organizations start giving everyone and their dog privileged access. Everything operates smoothly and IT managers can finally take a breath. Everyone is happy… until disaster strikes. An internal or external audit finds that months earlier, hackers got a hold of privileged credentials, which they used as a foothold to move into and across the system, breach other privileged accounts, and access sensitive information (such as credit cards, social security numbers, other usernames and passwords, etc). They’ve made quite the mess, which is inevitably followed by bad publicity and compliance fines.
If your IT systems are overwhelmed with privileged accounts, the first step to solving the problem is to gather as much relevant information about the situation as possible by auditing for privileged accounts.
Privileged accounts can live anywhere, and finding them manually across UNIX, Windows, and Linux platforms with all kinds of different applications and devices is extremely tedious and ineffective. To make the task manageable, we developed the PAM Sniffer, a free tool for privileged account discovery.
The tool plugs into Windows, Unix and Linux operating systems to identify privileged accounts. It can also search a range of IP addresses, domains, or in directory services such as Active Directory. Just enter the server details along with your administrator credentials, and the PAM Sniffer will export a text list of privileged accounts on the system.
The text list gives you insights about your privileged accounts, which include:
All of the information can then be exported into an excel spreadsheet where you can further analyze the accounts. This will be useful in the second phase of privileged account management, which will create a remediation plan to get those accounts under control.
*Note – the PAM Sniffer is included for free in the Privileged Account Manager 30 day trial. Just download the trial from the link above, and you will also recieve the PAM Sniffer.
If you’d like to conduct more of a manual audit, you could also use powershell scripts to identify the accounts. This works pretty well in Windows (Active Directory, mostly), but scripts are a little harder to come by for Linux and Unix. Scripts also don’t provide you with the same features that the PAM sniffer does, but hey, some people like to do it the hard way. Below are links to a few of those powershell scripts.
Windows Powershell script here.
Your privileged account audit will provide the base to work towards a comprehensive solution, which will allow you to eliminate unnecessary privileged accounts, simplify audits, ensure compliance, and automate the entire process or provisioning and revoking privileged access while continuously monitoring risks. The objective is to enhance security and operations at the same time – great security allows for great and efficient operations.
Conducting a privileged account audit is the first of the four steps illustrated below.
Look at our previous post, “How to Manage Privileged Accounts and Identities”, which talks about the entire solution, and look for our next posts about creating a remediation plan for privileged accounts.
Have a question about Privileged Account Management, Pam Sniffer, or PAM in general? Please leave a comment below or visit our forums.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.