7 Types of Privileged Accounts: Service Accounts and More
November 1, 2017 | Security and Risk | Amy Burnis
Privileged accounts exist in many forms across the enterprise environment and they pose significant security risks if not protected, managed and monitored. The types of privileged accounts typically found in an enterprise environment include:
- Local Administrative Accounts are non-personal accounts that provide administrative access to the local host or instance only. Local admin accounts are routinely used by the IT staff to perform maintenance on workstations, servers, network devices, databases, mainframes, etc. Often, for ease of use, they have the same password across an entire platform or organization. Using a shared password across thousands of hosts makes local administrative accounts a soft target that advanced threats routinely exploit.
- Privileged User Accounts are named credentials that have been granted administrative privileges on one or more systems. This is typically one of the most common forms of privileged account access granted on an enterprise network, allowing users to have administrative rights on, for example, their local desktops or across the systems they manage. Often these accounts have unique and complex passwords. The power they wield across managed systems makes it necessary to continuously monitor their use.
- Domain Administrative Accounts have privileged administrative access across all workstations and servers within the domain. While these accounts are few in number, they provide the most extensive and robust access across the network. With complete control over all domain controllers and the ability to modify the membership of every administrative account within the domain, having these credentials compromised is often a worst case scenario for any organization.
- Emergency Accounts provide unprivileged users with administrative access to secure systems in the case of an emergency and are sometimes referred to as ‘firecall’ or ‘breakglass’ accounts. While privileged access to these accounts typically requires managerial approval for security reasons, it is usually an inefficient manual process that lacks any auditability.
- Service Accounts can be privileged local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have domain administrative privileges depending on the requirements of the application they are being used for. Local service accounts can interact with a variety of Windows components, which makes coordinating password changes difficult.
- Active Directory or Domain Service Accounts make password changes even more challenging, as they require coordination across multiple systems. This challenge often leads to a common practice of rarely changing service account passwords, which represents a significant risk across an enterprise.
- Application Accounts are accounts used by applications to access databases, run batch jobs or scripts or provide access to other applications. These privileged accounts usually have broad access to underlying company information that resides in applications and databases. Passwords for these accounts are often embedded and stored in unencrypted text files, a vulnerability that is replicated across multiple servers to provide greater fault tolerance for applications. This vulnerability represents a significant risk to an organization because the applications often host the exact data that APTs are targeting.
For information on how to protect privileged accounts, please read the rest of our brief guide, which also highlights best practices: “The Three Phases of Securing Privileged Accounts.”