Types of Privileged Accounts

Organizations separate access to specific data and administrative capabilities into different types of privileged accounts in order to securely run their operations. Some types of privileged accounts include domain administrator (admin) accounts, local admin accounts, privileged user accounts and emergency accounts. If not properly managed or secured, cybercriminals can gain unauthorized access to these privileged accounts and steal an organization’s sensitive data.

Continue reading to learn more about privileged accounts, the different types of privileged accounts, the challenges privileged accounts face and how your organization can protect them.

What Is a Privileged Account?

A privileged account is an account within an organization that has higher privileges than standard accounts. These higher privileges allow certain users to access the organization’s sensitive systems, databases, applications and network infrastructure. Privileged accounts can access sensitive data and perform administrative tasks for an organization that most users cannot. If these accounts are misused or accessed by unauthorized users, it can hurt the organization and result in a loss of money, loss of sensitive data and a ruined reputation. 

7 Types of Privileged Accounts

There are different types of privileged accounts, each with different levels of access and privileges to perform their respective functions. Here are the seven types of privileged accounts.

Domain admin account

Domain administrative accounts are the most important privileged accounts in an organization’s network. They have complete and unrestricted access and control over the Active Directory Domain – the collection of the organization’s assets such as servers, accounts, applications and workstations. Domain admin accounts can modify the membership of every administrative account within an organization. These accounts need to be restricted as much as possible and only given on an as-needed basis.

Local admin account

Local administrative accounts grant administrative-level access to local machines. IT admins use local admin accounts to set up or perform maintenance on workstations, servers, network devices and other local machines within an organization. Local admin accounts often use the same password across multiple devices, which cybercriminals exploit to gain initial access into an organization’s network and move laterally.

Privileged user account

Privileged user accounts are standard user accounts that have been granted certain privileges to do their jobs. These accounts are given access to certain resources that normal users are not provided, such as access to sensitive data or certain administrative capabilities. They are the most common and riskiest type of privileged account. If mismanaged, cybercriminals can compromise privileged user accounts and move laterally throughout an organization’s network.

Emergency account

Emergency accounts, also known as break glass accounts, are used when organizations are unable to access their systems and need immediate access. These accounts are disabled and are only activated in case of an emergency such as loss of access due to a cyber attack. Organizations will use emergency accounts to regain access to their systems and restore them.

Service account

Service accounts are used by an application or service to ensure operating systems function and programs are running. These non-human accounts should not be logged onto by local systems. However, the passwords to these accounts often do not change and are shared with team members, making them popular targets by cybercriminals.

Domain Service Account

Domain Service Accounts allow systems and applications to communicate with each other and access required resources to run reports, access databases and call APIs. They assist in updating security patches, saving backups and deploying software. Many admins don’t change the passwords for Domain Service Accounts because changing the password requires the account to log out and breaks the application if not properly synced. This lack of security allows cybercriminals to easily compromise the passwords to these accounts.

Application account

Application accounts are used by applications to access databases and networks to perform automated tasks such as updating software and providing access to other applications. The passwords for these accounts are often embedded in unencrypted text files and can easily be exploited by cybercriminals to gain access to an organization’s network.

Challenges Privileged Accounts Face

Many cybercriminals want to compromise privileged accounts to gain unauthorized access to an organization’s network. Here are the types of threats privileged accounts face.

Phishing

Phishing is a type of cyber attack that tricks privileged users into giving up their sensitive information such as their login credentials. Cybercriminals will impersonate a familiar face of the victim such as a colleague or admin. Cybercriminals will send the victim an email or text with a malicious attachment or link to click on. If the victim clicks on the link, they are directed to a spoofed website that either downloads malware on their device or prompts them to reveal their login credentials. 

Insider threat

An insider threat is a cyber threat that happens within an organization. It occurs when a current or former employee, partner, contractor or vendor causes sensitive data and systems to become compromised. These insider threats can be intentional or unintentional. Some insider threats are caused by human error in which privileged accounts are mismanaged or misused by negligent users. Other insider threats are caused by malicious users who try to sabotage the organization from within and steal sensitive information for their benefit.

Malware

Malware is malicious software that cybercriminals secretly install on a user’s device to damage the device or steal sensitive data from it. Cybercriminals will deliver malware on a user’s device by exploiting an organization’s security vulnerabilities or tricking users into accidentally installing malware. They trick users into visiting an infected website or downloading malicious software from phishing emails, malicious ads or spoofed websites. Once malware is installed on a privileged user’s device, it can steal the login credentials of privileged accounts 

Brute force attack

A brute force attack is a type of password-related cyber attack in which cybercriminals use trial and error to guess the login credentials to privileged accounts. Cybercriminals rely on organizations to have poor password hygiene to easily crack their passwords. Privileged accounts protected by weak passwords are susceptible to brute force attacks. 

Examples of weak passwords include:

• Passwords less than 16 characters
• Passwords that are reused across multiple accounts
• Passwords containing personal information
• Sequential numbers or letters (12345 or abcde)
• Commonly used dictionary words (password)
• Repeated letters or numbers (55555 or aaaaa)

How To Protect Privileged Accounts

Privileged accounts have access to an organization’s sensitive data. Organizations need to protect privileged accounts from cybercriminals to secure their sensitive data. Here are the ways organizations can protect privileged accounts.

Implement least privilege access

To protect privileged accounts, organizations need to implement least privilege access. The principle of least privilege is a cybersecurity concept that, when put into practice, gives users just enough network access to the information and systems they need to do their jobs – and no more. Least privilege access limits the number of people who can access privileged accounts and restricts what privileges those accounts have.

The best way to implement least privilege access is with a Privileged Access Management (PAM) solution. PAM refers to managing and securing accounts that have permission to access highly sensitive data and systems. With a PAM solution, organizations have full visibility and control over all network, application, server and device access. It helps prevent privileged accounts from getting misused by insider threats and compromised by external threat actors.

Secure privileged accounts with strong passwords

Cybercriminals will execute brute force attacks to guess the login credentials of privileged accounts in order to gain unauthorized access. Organizations need to secure privileged accounts with strong and unique passwords to prevent cybercriminals from gaining unauthorized access. Using unique passwords makes it difficult for cybercriminals to compromise multiple privileged accounts. Strong passwords that are both long and complex prevent cybercriminals from guessing the passwords to privileged accounts.

The passwords for privileged accounts should be unique and random combinations of at least 16 uppercase and lowercase letters, numbers and special characters. These passwords should avoid any personal information, sequential numbers or letters and commonly used dictionary words.

The best way to ensure employees are using strong passwords is by using a business password manager. A business password manager is a tool that allows organizations and their employees to track, store, share, protect and manage all passwords. Passwords are stored in a digitally encrypted vault that are protected by a strong master password and MFA. Password managers give IT administrators complete visibility into an employee’s password practices and help employees generate strong passwords.

Enforce MFA

Multi-Factor Authentication (MFA) is a security protocol that requires additional authentication to gain access to an account. With MFA enabled, users need to provide their login credentials along with another form of identification to gain access to a privileged account. MFA provides an extra layer of security to these privileged accounts by ensuring only authorized access. Even if the login credentials to these privileged accounts were compromised, cybercriminals could not access the account since it is protected by MFA.

Conduct cybersecurity training

To protect privileged accounts, organizations need to conduct cybersecurity training for their employees. By training their employees, organizations can ensure privileged accounts don’t become compromised. Employees need to learn about cyber attacks such as phishing, so they can recognize and avoid them. They should follow cybersecurity best practices such as avoiding unsolicited attachments or links, storing sensitive information in an encrypted location and regularly updating their software.

How Keeper® Protects Privileged Accounts

The best way to protect privileged accounts is by using a PAM solution. With a PAM solution, organizations can reduce their attack surface and prevent lateral movement from within their network. PAM gives administrators complete control over their data infrastructure and allows them to protect privileged accounts with strong passwords and MFA. 

KeeperPAM™ is a privileged access management solution that is protected by zero-knowledge encryption and zero-trust security. This ensures only your organization has access to your sensitive data. KeeperPAM combines Keeper Enterprise Password Manager, Keeper Secrets Manager® and Keeper Connection Manager® to give you full control over your data. 

Request a demo of KeeperPAM to start protecting your privileged accounts.