What are Privileged Accounts?
There are a number of different types of privileged accounts in Active Directory and Azure AD / Office 365 that have administrative access to one or more systems.
- Active Directory: These accounts have been added to administrative security groups such as the domain administrators, administrators, or enterprise administrators’ group to name a few. They can be used to login to the server locally, remotely and often have unrestricted access to the entire company network of servers and workstations. Hacking these accounts is a prime target for any malware, phishing and/or ransomware attack.
- Azure AD / Office 365: Includes any account added to one of many pre-defined administrative security groups such as the global admin, privileged authentication administrators or password administrators’ group etc. These accounts are used to setup, configure and manage access to resources hosted in Azure AD and Office 365. Compromising these accounts is also a key target of hackers since they open the door for phishing campaigns that can spread malware via compromised user mailboxes as a pre-cursor to ransomware attacks.
- Local Administrator Accounts: These accounts have local administrative access to a domain joined servers or member servers, standalone servers that are not joined to an Active Directory, domain joined workstations or workstations not joined to Active Directory. The accounts just have privileged access on the system they reside on. Its quite common for MSPs and IT departments to use local administrator accounts as a back door to a member server or PC if their access to the Active Directory domain is not available or has issues. Where this becomes a security issue is that most often the same password is used for all local administrator accounts, a password formula which can easily be guessed and remains static for years making it a prime target for hackers.
- Service Accounts: Active Directory or local account used to authenticate a Windows Service that runs an application, database or system tool. Often these accounts have administrative access to Active Directory or the local system in order to provide the required access for the application they are configured to run. Since the windows service depends on these accounts their passwords cannot simply be reset without taking extra steps to ensure the Windows Service with the new password.
- Scheduled Task Accounts: All Windows servers and workstations have a task scheduler. The task scheduler is used to run scripts or updates at a set time or interval. Accounts used to authenticate scheduled tasks can often have administrative access to the local system or all systems on the corporate network. Similar to service accounts the passwords configured in a scheduled task must also be updated after they are reset.