IT divisions of most of the organizations worldwide extensively use the Windows infrastructure. IT administrators have to deal with hundreds of Windows accounts, including the local administrator, domain member, domain administrator, and service accounts. Managing each of these accounts presents unique challenges. Any lapse in proper management leaves the organization vulnerable to attacks.
Some specific challenges include:
- Local Administrator Accounts: It is quite common to see local administrator accounts having weak passwords that are left unchanged. Some organizations leave unchecked the practice of using the same password for multiple local administrator accounts. Due to these lapses, although the access level of a local account is restricted only to specific computers, if an attacker gains access to a local account, they can easily traverse laterally and access the organization’s network and even get a chance to elevate their privileges.
- Domain Administrator Accounts: Domain administrator accounts carry very high privileges. IT organizations are generally very cautious and restrict access to the domain administrator credentials only to a few administrators. However, password management best practices (such as strong, unique passwords and frequently changing them) are not strictly followed. In addition, if the domain administrator accounts are used to access any workstation or a server, the passwords become susceptible to pass-the-hash attacks. Windows caches the password as hashes to facilitate single sign-on. If an attacker gains access to a system that was previously accessed using domain administrator credentials, the risk of identity theft becomes bright. It becomes essential to enforce password management best practices and to restrict the usage of domain administrator credentials to domain controllers alone.
- Service Accounts: Some Windows domain accounts are used to run services, processes, scheduled tasks, and IIS app pools. Domain accounts often have numerous such dependencies and it becomes difficult to trace which accounts are used as service accounts and where. Depending on the nature of dependencies, service accounts become high privileged accounts too. Without a tool in place, IT administrators lack visibility on the dependencies and hence are forced to leave the service account passwords unchanged. Static passwords invite security issues.
Securden helps you to effectively manage the entire life cycle of the Windows infrastructure credentials:
Discover all types of Windows accounts
Securden discovers all the Windows accounts and their dependencies present in your network. In addition to consolidating the accounts that are in use, the discovery process finds inactive ones including the long-forgotten privileged accounts, privileged accounts created by those who left the organization, accounts you forgot to disable after off-boarding a contractor, and so on. You can schedule Account Discovery to run periodically and add accounts as soon as they are created and bring all accounts under effective management.
Automate password security best practices
Enforce your organization’s password policy across all your Windows accounts, local, domain admin, and service accounts, uniformly. Automate the process to reset the passwords periodically or post every usage.
Complete visibility and control over Windows service accounts
Securden not only discovers the dependencies of service accounts but also automates the entire management. Whenever the password of a domain account is changed, the change is propagated across all the dependencies too. IT administrators can carry out password changes without worrying about services stopping or about a possible catastrophic domino effect.