How To Guide
How to Manage Privileged Access in Businesses
80% of breaches involve compromised privileged credentials.
Overview
Control who gets admin access, when, and for how long.
Step 1: Fundamentals
Core principles.
1
Least Privilege
- No admin by default
- Standard accounts for daily work
- Elevate only for admin tasks
- Audit every privileged account
2
Separate Accounts
- Dedicated admin accounts
- No email on admin accounts
- MFA on all admin accounts
Step 2: Controls
Technical implementation.
1
Credentials
- PAM vault for storage
- Automatic password rotation
- Eliminate shared passwords
- Record privileged sessions
2
JIT Access
- Time-limited elevation
- Approval required
- Auto-revoke after period
- All sessions logged
3
Session Monitoring and Recording
- Record all privileged access sessions for audit and forensic review
- Enable keystroke logging for highly sensitive system access
- Monitor for unusual commands: Bulk file operations, new service creation, registry changes
- Alert on privileged access outside business hours
- Implement session timeout: Automatically disconnect idle privileged sessions
- Review recorded sessions when investigating security incidents
4
Service Account Management
- Inventory all service accounts and document their purpose and owner
- Service accounts are often forgotten and become easy targets for attackers
- Remove service accounts that are no longer needed
- Use managed service accounts (gMSA) in Active Directory where possible
- Rotate service account passwords automatically on a 90-day schedule
- Never use domain admin credentials for service accounts
- Monitor service account login patterns and alert on anomalies
Warning:
Service accounts with static passwords that never expire are one of the most common attack vectors in business networks. Audit them immediately.
5
Emergency Access Procedures
- Define break-glass procedures for emergency admin access
- Store emergency credentials in a sealed, physically secure location
- Require two-person authorisation for emergency access
- Log all use of emergency credentials and review within 24 hours
- Test emergency access procedures quarterly to ensure they work
- Immediately rotate emergency credentials after any use
- Document the business justification for every emergency access event
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.