Privileged account management (PAM) is a part of identity and access management (IAM) that deals exclusively with the protection of privileged accounts in an enterprise, including those of operating systems, databases, servers, applications, virtual machines, and networking devices.
What is a privileged account?
The term "privileged account" includes the most powerful accounts spread across an IT environment, such as the UNIX root, Windows administrator, database administrator, and even business application accounts. These accounts are normally used by information and communications teams to set up the IT infrastructure, install new hardware and software, run critical services, and conduct maintenance operations. In short, privileged accounts are master keys that can access an organization's highly classified IT assets along with the sensitive information stored within them.
Types of privileged accounts.
Local/built-in administrator accounts are accounts on member servers and clients that grant absolute control over their hosts. This also includes the default login accounts that come built-in with operating systems, application software, and services. If local administrator passwords are weak, left unchanged, or repeatedly used on multiple accounts across hosts, malicious users could easily gain unauthorized access to workstations. In the worst-case scenario, an attacker with access to a local admin account or a forgotten built-in system account could navigate across the network and even elevate their privileges to that of a domain administrator.
Domain administrator accounts are powerful accounts with the widest range of control over every object in a domain. These accounts provide administrative privileges on all workstations, servers, and domain controllers. Only a few, trusted administrators should use domain administrator accounts. Moreover, they should only use the account to log on to the domain controller systems that are as secure as the domain controllers themselves, especially in a Windows ecosystem.
Administrative service accounts are privileged accounts used by system programs to run application software services or processes. At times, these accounts may possess high or even excessive privileges when a certain dependent service requires it. This also goes for local or domain Windows accounts used to run Scheduled Tasks. Typically, such service account passwords are set to "never change," due to the difficulty in discovering all dependent services and propagating the password change, which could, in turn, delay business service continuity. However, static service accounts can make your enterprise an easy target for hackers.
Root accounts are superuser accounts that carry administrative privileges to manage Unix/Linux resources, which are typically used by system administrators to perform core IT operations. Root accounts have unrestricted access to all files, programs, and other data on a system, and therefore pose an enormous risk when mismanaged.
Application accounts are accounts used by organizations to automate communication between various applications, web services, and native tools to fulfill business and other transaction requirements. Application credentials are usually embedded in clear text within unencrypted application configuration files and scripts to achieve this business communication interfacing.
Embedded application accounts are used in many DevOps environments where credential hard-coding is commonly followed to expedite software development phases and automate service delivery cycles. Administrators usually find it difficult to identify, change, and manage these passwords. As a result, the credentials are left unchanged, which makes them an easy entry-point for hackers.
How privileged account management can help bolster IT security.
Maintain a complete list of all active privileged accounts in your network, and update that list whenever a new account is created.
Store privileged identities like passwords, SSH keys, and SSL certificates in a secure vault using standardized encryption algorithms such as AES-256.
Enforce stringent IT policies that cover password complexity, frequency of password resets, strong SSH key pairs generation, time-limited access to privileged accounts, automatic reset upon one-time use, and other robust controls.
Share the privileged accounts with employees and third-party users in a secure way, such as granting privileged access with the minimal permissions required to carry out the job.
Audit all identity-related operations such as privileged user logins, password shares, password access attempts, reset actions, and so on.
Monitor and record all privileged user sessions in real time.
Why Password Manager Pro is the perfect fit for your PAM needs.
ManageEngine Password Manager Pro is a web-based privileged account management solution tailored for enterprises. The solution allows you to store, share, manage, monitor, and audit the life cycle of any privileged account in your organization. With a range of featuresăsuch as account discovery, strong vaulting mechanisms, granular access controls, automated password resets, SSL certificate life cycle management, user activity auditing, and secure remote accessăall built into a single platform, Password Manager Pro is the one solution you need to ensure privileged account security in your IT environment.