Home
%3CLINGO-SUB%20id%3D%22lingo-sub-816380%22%20slang%3D%22en-US%22%3ETips%20for%20securing%20your%20privileged%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816380%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ESecurity%20is%20hot%20on%20everyone%E2%80%99s%20mind%20these%20days.%26nbsp%3B%20As%20it%20should%20be%20with%20all%20the%20recent%20reports%20of%20hacking%20and%20data%20breaches.%20There%20isn't%20a%20day%20that%20goes%20by%20that%20you%20do%20not%20read%20a%20story%20of%20another%20data%20breach.%20With%20all%20this%20going%20on%20it%20brings%20up%20questions%20and%20concerns%20of%20how%20privileged%20access%20accounts%20are%20protected%20and%20secured.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%E2%80%9CHow%20are%20you%20securing%20those%20privileged%20accounts%20that%20have%20access%20to%20all%20your%20critical%20data%3F%E2%80%9D%20Hmmm%20good%20question....%20using%20a%20firewall%20is%20not%20a%20good%20enough%20answer.%20These%20privileged%20accounts%20are%20critical%20to%20your%20business%20and%20if%20they%20are%20compromised%20that%20can%20be%20devastating%20for%20some.%20It's%20critical%20to%20protect%20privileged%20access%2C%20regardless%20of%20whether%20the%20environment%20is%20on-premises%2C%20cloud%2C%20or%20hybrid%20on-premises%20and%20cloud%20hosted%20services.%20It's%20your%20data%20so%20you%20must%20protect%20it.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EPrivileged%20accounts%20can%20be%20in%20any%20of%20your%20systems%20and%20they%20almost%20always%20have%20elevated%20privileges.%20Some%20examples%20but%20not%20limited%20to%20%3A%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EDomain%20admin%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EServer%20operators%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EGlobal%20administrator%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EExchange%2FTeams%2FSharePoint%20administrator%20roles%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3ESQL%20and%20our%20database%20administrator%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EStorage%20account%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3ERoot%20access%20accounts%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EBusiness%20applications%20specific%20accounts%3C%2FLI%3E%0A%3CLI%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011pt%3B%22%3EAny%20IT%20staff%20or%20user%20that%20has%20access%20to%20company%20systems%20that%20are%20elevated%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%20id%3D%22toc-hId-1817463352%22%20id%3D%22toc-hId-1817463352%22%20id%3D%22toc-hId-1817463352%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%20id%3D%22toc-hId--734693609%22%20id%3D%22toc-hId--734693609%22%20id%3D%22toc-hId--734693609%22%3E%3CSTRONG%3ESome%20tips%20%2C%20whether%20hybrid%2C%20cloud%2C%20or%20on-premises%20to%20limit%20the%20exposure%20to%20these%20accounts...%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E1.%20Use%20an%20Admin%20account%20separate%20from%20the%20normal%20user%20account.%20Separate%20accounts%20for%20technical%20staff%20or%20anyone%20that%20will%20be%20conducting%20administrative%20functions%20inside%20an%20application%20or%20system.%20For%20example%3A%20the%20domain%20admin%20should%20not%20be%20using%20their%20normal%20user%20account%20to%20perform%20domain%2Fserver%20admin%20functions.%20This%20should%20be%20a%20done%20by%20their%20admin%20account%20and%20not%20regular%20use%20account.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E2.%20Privileged%20accounts%20should%20be%20limited%20to%20external%20services.%20What%20this%20means%20is%20the%20admin%20account%20your%20using%20should%20not%20be%20getting%20any%20personal%20emails%20and%20roaming%20the%20internet%20freely.%20Disable%20mail%20forwarding%20to%20external%20parties%2Fdomains%20from%20the%20privileged%20account.%20Restricting%20access%20to%20auto%20forwarding%20will%20prevent%20any%20accidental%20%22leaks%22%20of%20sensitive%20data.%20If%20the%20privileged%20account%20does%20need%20internet%20access%20(%20in%20some%20cases%20this%20is%20needed)%20ensure%20that%20the%20account%20is%20being%20routed%20through%20proper%20web%20filtering.%20This%20also%20means%20account%20like%20these%20should%20not%20be%20browsing%20the%20web%20on%20a%20server.%20Yes%2C%20I%20know%20who%20you%20are%20and%20you%20should%20stop%20doing%20it!%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E3.%20Enable%20Multi%20factor%20authentication%20for%20all%20accounts%20but%20most%20importantly%20those%20privileged%20accounts.%20Yes%20it%E2%80%99s%20a%20pain%20to%20enter%20that%20pin%20received%20on%20your%20phone%20but%20ensuring%20that%20access%20was%20legit%20and%20authorized%20is%20far%20better%20than%20being%20hacked.%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E4.%20Use%20Role%20based%20access%20control%20(RBAC)%20for%20the%20privileged%20accounts.%20This%20sounds%20like%20a%20no%20brainer%20but%20it%20can%20easily%20be%20missed%20because%20it%E2%80%99s%20just%20easier%20to%20give%20and%20admin%20account%20access%20to%20everything%20and%20tell%20the%20user%20to%20use%20that%20account%20carefully...%20NOT.%20Even%20privileged%20access%20accounts%20need%20RBAC.%20Following%20the%20rule%20of%20least%20amount%20of%20privileges%20reduces%20the%20risk%20of%20exposure.%20Do%20not%20piggyback%20an%20account%20for%20access.%20I%20know%20it%20seems%20so%20much%20easier%20to%20just%20use%201%20service%20account%20to%20perform%20all%20your%20duties%20and%20this%20service%20account%20also%20happens%20to%20run%20all%20the%20exchange%20services%20in%20your%20environment%20and%20then%20some.%20The%20exposure%20is%20too%20great%20by%20using%201%20account%20and%20especially%20if%20you%20the%20admin%20are%20also%20using%20this%20account.%20Instead%20create%20separate%20service%20accounts%20limited%20to%20a%20specific%20service%2Fapplication%20and%20the%20admin%20can%20have%20their%20own%20admin%20account.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E5.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-configure%3FWT.mc_id%3Ditopstalk-blog-phschmit%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Active%20Directory%20Privileged%20Identity%20Management%20(PIM)%3C%2FA%3Eto%20lower%20the%20exposure%20time%20of%20privileges.%20PIM%20does%20this%20by%20limiting%20users%20to%20only%20taking%20on%20their%20privileges%20%22just%20in%20time%22%20(JIT)%2C%20or%20by%20assigning%20privileges%20for%20a%20shortened%20duration%20after%20which%20privileges%20are%20revoked%20automatically.%20PIM%20can%20also%20manage%20the%20Azure%20RBAC%20roles%20so%20It's%20like%20RBAC%20on%20steroids.%20Please%20note%20the%20use%20of%20Azure%20AD%20PIM%20does%20require%20an%20additional%20license.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E6.%20Define%20at%20least%20two%20emergency%20access%20accounts%20also%20known%20as%20Break%20Glass%20Accounts.%20Emergency%20access%20accounts%20are%20highly%20privileged%20and%20are%20not%20assigned%20to%20specific%20individuals.%20Emergency%20access%20accounts%20are%20limited%20to%20emergency%20for%20'break%20glass'%20scenarios%20where%20normal%20administrative%20accounts%20cannot%20be%20used.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EThese%20are%20just%20a%20few%20tips%20to%20get%20you%20started%20on%20making%20your%20privileged%20accounts%20more%20secure.%20For%20a%20detailed%20explainer%20and%20roadmap%20checkout%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-admin-roles-secure%2F%3FWT.mc_id%3Ditopstalk-blog-phschmit%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ebest%20practices%3C%2FA%3Earticle%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CCITE%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%209.0pt%3B%20color%3A%20%23595959%3B%22%3E%26nbsp%3B%3C%2FCITE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-816380%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20766px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127948iAF363CA7F72C2362%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22roles.JPG%22%20title%3D%22roles.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ESecurity%20is%20hot%20on%20everyone%E2%80%99s%20mind%20these%20days.%26nbsp%3B%20As%20it%20should%20be%20with%20all%20the%20recent%20reports%20of%20hacking%20and%20data%20breaches.%20There%20isn't%20a%20day%20that%20goes%20by%20that%20you%20do%20not%20read%20a%20story%20of%20another%20data%20breach.%20With%20all%20this%20going%20on%20it%20brings%20up%20questions%20and%20concerns%20of%20how%20privileged%20access%20accounts%20are%20protected%20and%20secured.%20Using%20perimeter%20protective%20measueres%20isnt%20enough%20anymore.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-816380%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-820140%22%20slang%3D%22en-US%22%3ERe%3A%20Tips%20for%20securing%20your%20privileged%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-820140%22%20slang%3D%22en-US%22%3E%3CP%3EInteresting%20point%20number%206.%20If%20so%2C%20why%20the%20exclusions%20were%20taken%20down%20from%20Azure%20AD%20Baseline%20Conditional%20Access%20policies%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E

Security is hot on everyone’s mind these days.  As it should be with all the recent reports of hacking and data breaches. There isn't a day that goes by that you do not read a story of another data breach. With all this going on it brings up questions and concerns of how privileged access accounts are protected and secured.

 

“How are you securing those privileged accounts that have access to all your critical data?” Hmmm good question.... using a firewall is not a good enough answer. These privileged accounts are critical to your business and if they are compromised that can be devastating for some. It's critical to protect privileged access, regardless of whether the environment is on-premises, cloud, or hybrid on-premises and cloud hosted services. It's your data so you must protect it.

 

Privileged accounts can be in any of your systems and they almost always have elevated privileges. Some examples but not limited to :

 

  • Domain admin
  • Server operators
  • Global administrator
  • Exchange/Teams/SharePoint administrator roles
  • SQL and our database administrator
  • Storage account
  • Root access accounts
  • Business applications specific accounts
  • Any IT staff or user that has access to company systems that are elevated

 

Some tips , whether hybrid, cloud, or on-premises to limit the exposure to these accounts...

 

1. Use an Admin account separate from the normal user account. Separate accounts for technical staff or anyone that will be conducting administrative functions inside an application or system. For example: the domain admin should not be using their normal user account to perform domain/server admin functions. This should be a done by their admin account and not regular use account.

 

2. Privileged accounts should be limited to external services. What this means is the admin account your using should not be getting any personal emails and roaming the internet freely. Disable mail forwarding to external parties/domains from the privileged account. Restricting access to auto forwarding will prevent any accidental "leaks" of sensitive data. If the privileged account does need internet access ( in some cases this is needed) ensure that the account is being routed through proper web filtering. This also means account like these should not be browsing the web on a server. Yes, I know who you are and you should stop doing it!

 

3. Enable Multi factor authentication for all accounts but most importantly those privileged accounts. Yes it’s a pain to enter that pin received on your phone but ensuring that access was legit and authorized is far better than being hacked. 

 

4. Use Role based access control (RBAC) for the privileged accounts. This sounds like a no brainer but it can easily be missed because it’s just easier to give and admin account access to everything and tell the user to use that account carefully... NOT. Even privileged access accounts need RBAC. Following the rule of least amount of privileges reduces the risk of exposure. Do not piggyback an account for access. I know it seems so much easier to just use 1 service account to perform all your duties and this service account also happens to run all the exchange services in your environment and then some. The exposure is too great by using 1 account and especially if you the admin are also using this account. Instead create separate service accounts limited to a specific service/application and the admin can have their own admin account.

 

5. Use Azure Active Directory Privileged Identity Management (PIM) to lower the exposure time of privileges. PIM does this by limiting users to only taking on their privileges "just in time" (JIT), or by assigning privileges for a shortened duration after which privileges are revoked automatically. PIM can also manage the Azure RBAC roles so It's like RBAC on steroids. Please note the use of Azure AD PIM does require an additional license.

 

6. Define at least two emergency access accounts also known as Break Glass Accounts. Emergency access accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to emergency for 'break glass' scenarios where normal administrative accounts cannot be used.

 

These are just a few tips to get you started on making your privileged accounts more secure. For a detailed explainer and roadmap checkout this best practices article 

 

1 Comment

Interesting point number 6. If so, why the exclusions were taken down from Azure AD Baseline Conditional Access policies?