| | DECEMBER - JANUARY 8CIOReviewIN MY OPINIONThe concept of `least privileged access' is widely acknowledged and accepted as best practice, but what are you doing to review and protect your accounts with `most privileged access'? Start with your on-prem active directory environment and review the accounts with the highest levels of privilege. In general, the fewer accounts that have local admin permissions and the fewer servers they have access to, the more secure your company will be. Audit and Reduce the Number of Accounts with Domain Admin and Enterprise Admin PermissionsIf you're not auditing active directory accounts to review your domain admins and enterprise admins, you might be leaving yourself open to significant vulnerabilities. Here are a few steps you should be taking if you are not already-·Make sure you review the accounts with domain admin and enterprise admin access at least quarterly and track the changes each quarter·Identify any changes and understand the reasons for adding or removing accessSECURING YOUR ON-PREM ACTIVE DIRECTORY ENVIRONMENTBy Brian Wozniak, Director - Infrastructure Engineering, Zurn Elkay Water·Remove access (not just disabling accounts) for people who have left the organization·Eliminate all service accounts from domain admin and enterprise admin. This is a huge deal·For these purposes, I am considering any account that does not require a password change to be a service account·Wherever possible, remove accounts from domain admin and enterprise admin access and add them as local admins on only those servers they need local admin permissions Use Dedicated Admin AccountSEvery person with local admin permissions to a server should have 2 separate accounts, and domain admins should have 3 separate accounts1.their user account which they use for accessing email, their PC, and other services2.their admin account, which is only used to sign into servers. 3.Their domain admin account, which is only used to sign into domain controllersThe reason for this separation is that the regular user account is used in so many places, that it is much more susceptible to compromise. Using a dedicated account, per user, to access servers significantly increases your security. If a person has domain admin permissions, they should have a third account that has the domain admin permissions and is only used to sign into domain controllers. This is to significantly reduce the risk of compromise on your most highly privileged accounts.The admin account should have a minimum requirement of 12 characters and be complex (uppercase, lowercase, numbers, special characters, and random), making it very difficult to crack.The domain admin account should have a minimum requirement of 25 characters and be complex (uppercase, lowercase, numbers, special characters, and random), making it even more difficult to crack.Identify all Local Admins on All Servers in your Domain Odds are, you will find many more accounts with much wider access and much greater permissions to your servers than you would expect. Each account represents a distinct vulnerability that can be exploited. To help reduce the vulnerabilities that these accounts present, you can and should take 2 different approaches to how you analyze your data.Brian Wozniak
< Page 7 | Page 9 >