Skip to content

Least Privilege Strategy

Before even touching the Securden Endpoint Privilege Manager, you need to define what you are looking to achieve by enforcing least privilege to determine where to focus first, and how to adopt the principle for implementing the principle of least privilege successfully.

Identifying Current Risk Profile

Goal: Estimating how exposed the organization is to privilege misuse and cyberattacks.

Run an audit to find out how many administrator accounts are in current use and their purpose. Most times, accounts accrue privileges and permissions due to obsolete requirements from the past. All permissions being delegated to accounts must be purposeful.

Ensure you include all non-human identities and service accounts in this audit. For service accounts, list the dependencies of each service account like services, processes, and app pools.

Pro Tip

Discovering service accounts along with their dependencies can be painstaking without a dedicated solution. You may look at Securden Unified PAM for this.

Prioritizing High Risk Accounts

Goal: Ensuring a smooth large-scale adoption of least privilege by taking the ‘Crawl-Walk-Runʼ framework.

Instead of going all in and removing admin rights across all endpoints, we must prioritize high impact accounts and target them first.

To begin with, identify the most sensitive accounts, like root users and domain admins. They have high privileges on multiple critical devices across the network and are highly sought after by threat actors. Secure them by rotating the password and storing them in a safe, encrypted location. Once root users and domain admin accounts are secure, you must aim to secure sensitive non-human identities like service accounts. These accounts often carry very high privileges and are criminally overlooked. You must secure them by locking them inside a secure, encrypted vault and enforce periodic password rotation.

Pro Tip

Periodic password rotation is prone to mistakes when done manually. Automating them with a dedicated solution is often more rewarding for organizations. You may explore Securden Unified PAM for combining credential management along with least privilege.

Defining ‘Just Enoughʼ Privilege

Goal: Identifying how much privilege/permission each team needs?

Privileges and permissions allow users to access data, run applications, make changes, and get their work done. While most users can make do with a standard user account, users often find themselves unable to do their task without the permissions and privileges associated with a local admin account.

Does this mean they should be working with an administrator account? The short answer is No. They should be given the minimum permission required to go about their jobs while keeping security at the back of the mind.

“Just Enough Privilegeˮ is the minimum level of permission required by a user to the get a job done.

You must explore and find out what is just enough privilege for each functional unit in your organization.

Pro Tip

Monitoring the activities performed by existing admin users will give you insights into use of admin rights in your organization. Running the Securden agent on learning mode will help in this regard.

Securden Help Assistant
What's next?
Request a Demo Get a Price Quote
Thank you message

Thanks for sharing your details.
We will be in touch with you shortly.

Thanks for sharing your details.
We will be in touch with you shortly.