What are Privileged Accounts and Why Are They Important?
A privileged account is a user account that has more privileges than ordinary users. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify system or application configurations. They might also have access to files that are not normally accessible to standard users.
Privileged accounts are typically tied to roles within an organization. Examples include IT administrators, security teams, helpdesk experts, 3rd party contractors, application owners, database administrators, operating systems, and services accounts, etc.
A privileged account can also be a machine-to-machine (M2M) or application-to-application (A2A) account that runs automatic operations without human interaction. Typical examples include automated payment transactions, smart asset tracking in the shipping industry, automated claims handling in the insurance industry or daily backups of corporate critical data.
Since privileged accounts always grant access to information or target that is valuable or critical for the operations of a business, they require special audit attention and management.
There are many kinds of privileged accounts:
Root and administrator accounts are typically used for installing and removing software and changing configurations. They grant very broad and highest access privileges for specific servers or databases and are also appropriately called superuser accounts.
In Windows, administrator accounts are user accounts that are used for managing aspects of a computer, domain, or the whole enterprise IT infrastructure.
Administrator accounts are often named
Administratorin standalone computers and small environments. However, any user in Windows can be made an administrator by adding it to the proper group.
Common administrator account subtypes include Local Administrator and Domain Administrator.
- Domain Administrator accounts grant full access and control of the Active Directory (AD) domain. These accounts are particularly armed and dangerous, since they give control over all domain controllers, domain workstations, and domain member servers and allow modifying the configuration of Active Directory or any content stored in Active Directory. This includes creating new users, deleting users, and changing their permissions.
Domain administrator is a kind of
- Local Administrator accounts are user accounts that can manage a local computer in Windows. Generally, a local administrator can do anything to the local computer, but is not able to modify information in active directory for other computers and other users.
The local administrator account is often called Administrator, but any user can be made a local administrator by adding the user to the Local Administrator group.
Service accounts are used for running processes, such as web servers, database servers, and application servers. Service accounts may also be created just to own data and configuration files.
Service accounts are not intended to be used by people, except for performing administrative operations.
Application accounts are linked to the specific application software and typically administer, configure or manage access to the application software. Application accounts allow interactions between applications and are typically run automatically by without human interaction. The exception to the rule is maintenance tasks performed by privileged users.
System accounts are created by an operating system during installation and used for running operating system components and owning related files.
System accounts often have predefined user ids. Examples of system accounts include the root account in Linux.
The distinction of system accounts and service accounts is sometimes blurred. Many system accounts run operating system processes, and in this respect resemble service accounts. Some system accounts, such as
root, are also logged into by system administrators.
Privileged access management (PAM) refers to a set of processes and tools for controlling, monitoring, and auditing privileged accounts and access. Traditional PAM solutions are typically based on password vaults and password rotation, whereas modern next generation systems avoid passwords altogether.