Secure Windows environments with privileged access security
Windows machines are everywhere – making up the majority of desktop, laptops and servers in many organizations. Powerful privileged accounts existing in every system and, when Windows administrators grant local administrator privileges to users for convenience and productivity, a larger attack surface from this privilege creep results – providing attackers with an expansive opportunity to gain a foothold inside an organization.
Once attackers establish their presence inside a network, they are able to move laterally and escalate privileges by leveraging locally stored hashes to take advantage of inherent vulnerabilities in the Kerberos authentication protocol, such as pass-the-hash. Frequently, the attacker’s main goal is to reach a Domain Controller, the central authority of trust within the Windows environment. Once a Domain Controller is compromised, the attacker has carte blanche access to the entire domain eluding visibility or awareness of the organization.
To secure Windows environments, organizations must implement layered security measures. To greatly reduce the attack surface and mitigate the risk of attackers exploiting local administrator privileges to gain a foothold, it is recommended that organizations remove local administrative rights and control applications on Windows endpoints with whitelisting/blacklisting solutions. To protect highly valuable assets including domain controllers, organizations should secure, manage and rotate privileged credentials. The use of unique credentials for each system combined with regular rotation of credentials helps organizations reduce the likelihood of attackers moving throughout the network, escalating privileges and gaining access to more sensitive assets. Finally, to gain visibility and reduce an attacker’s window of opportunity, organizations should implement continuous monitoring and threat detection to identify and alert on malicious activity that could indicate an in-progress attack.
To help organizations secure Windows environments, CyberArk offers an end-to-end privileged access security solution that enables organizations to:
- Discover all Windows privileged accounts, including local administrator, domain administrator and service accounts
- Remove local administrator rights and enforce least privilege policies while enabling users to run trusted applications and carry out authorized tasks
- Control and monitor applications on Windows endpoints to prevent malicious applications from entering the environment
- Restrict unknown applications to maintain productivity, enabling users to safely run them on endpoints while not impacting security
- Secure, manage, control and rotate privileged credentials including local administrator, service accounts, domain administrator, server administrator
- Secure privileged sessions to protect target systems from potential malware on endpoints
- Analyze, detect, alert and respond to malicious activity occurring on Windows systems including exploitation of the Kerberos protocol
- Detect and block malicious attempts at credential theft to limit/eliminate lateral movement to contain attackers
This unique set of Windows security capabilities are delivered on a single, integrated platform designed to secure all privileged accounts including in Windows, Unix, environments whether on premises or in the cloud. By incorporating Windows systems accounts into a broader privileged access security strategy, organizations can gain a number of benefits, including:
- Locate all privileged Windows accounts and credentials to understand where privilege access exist and set a plan to programmatically manage and secure the environment
- Mitigate the risk of malware entering the organization and remove everyday local administrator privileges from business users without impacting user productivity or driving up help desk costs
- Provide visibility into malicious applications in the organization and block malware from executing on Windows machines
- Shrink the attack surface by securely managing and regularly rotating shared administrator accounts and eliminating multiple individual privileged domain accounts
- Reduce an attacker’s window of opportunity on Windows systems with real-time detection and alerting of anomalous privileged access activity as well enable better, faster policy decisions
- Implement, expand and manage a complete Privileged Access Security solution