Phone Live Chat
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393


Best practices for privileged account management (PAM)

Try ADManager Plus Now!

Privileged accounts include those with any elevated level of access to the resources in a network, such as Windows domain administrators, super users, emergency accounts, and application or service accounts. One of the alarming findings from a 2020 Cybersecurity Insiders study is that privileged IT users (63%) pose the biggest insider security risk to organizations. It is a given that mismanagement of these accounts could pose a significant risk to an enterprise.

Therefore, organizations should consider the following practices:

  • Apply the principle of least privilege (POLP)

    POLP can be adopted not just for regular user accounts but also for privileged users. Granting these users only the access they need to perform a specific action, and nothing more, will pay off eventually, and considerably reduce your organization’s attack surface.

  • Enforce stringent password policies

    Most times, the default usernames and passwords of service accounts are not changed, increasing the chances of them being targets for hackers. Accounts should not be configured with passwords that do not expire, and passwords have to be changed regularly. Furthermore, relying on passwords alone is a thing of the past. Multi-factor authentication can be used to secure privileged accounts from social engineering or brute-force attacks.

  • Enable role-based access control (RBAC)

    Use RBAC to grant access to those who need it while blocking those who don't. Add and switch roles quickly, and implement them globally across operating systems, platforms, and applications. Rather than using individual attributes, it is efficient to alter user access by their role. For example, if many users have admin privileges, it is much more challenging to secure and manage the assets.

  • Implement automation and self-service workflows

    Automation reduces the risk of data entry errors and increases the efficiency of role assignment. When users need additional access rights, they should follow a request-and-approval process. Upon approval from the stakeholders, user privileges can be elevated only for the time period required to perform the specified task.

  • Audit privileged account activity

    To prevent privilege creep, your organization should audit privileged accounts more often than regular accounts. This can prevent users from continually accumulating new permissions as they move roles or teams within the organization. Employing monitoring tools that target privileged activities can detect wrongdoing, whether from accidental changes or malicious insiders. Using these tools, you can draw up a baseline of normal behavior, which will help identify deviations and trigger alerts in real time. This practice is also an important part of maintaining regulatory compliance. In case of a security incident, it will give you visibility into the chain of events and help your organization respond faster.

  • Adopt temporary privilege escalation

    Rather than granting a user privileged access without any time limit, consider providing the necessary permissions when needed and then removing them once the purpose is served. Adoption of time-based privileged access ensures that your organization is protected against the threat of privilege misuse.

  • Educate privileged users on risks

    Many times, a negligent employee can cause as much damage as an external hacker or a malicious insider. Users of elevated privileges should clearly understand the rules of behavior imposed on them to limit insider threats. Since phishing and social engineering attacks are gaining traction, cybersecurity awareness among employees is a must.

  • Re-examine your policies on a regular basis

    Nothing is set in stone when it comes to an organization's security measures. Having a constantly evolving security policy based on the latest cyber risks is the way forward. As your organization grows or restructures, your security and risk management needs may require a revamp.

How ManageEngine ADManager Plus can help

ADManager Plus is an integrated Active Directory management and reporting solution that is packed with capabilities for managing your privileged accounts easily.


ADManager Plus Trusted By

The one-stop solution to Active Directory Management and Reporting