In this blog, I want to talk about Multi-Factor Authentication (MFA). Before you hang up the phone because MFA has been discussed ad nauseam, have you read about it in the context of “alternate admin” or “dash-a” accounts?
What’s the Problem We’re Trying to Solve
In a nutshell, ways to mitigate the risk of data breaches that leverage compromised privileged credentials.
The Alternate Admin Account Approach
We talk to many organizations that continue to leverage substantial financial and personnel investments in Active Directory. Even as cloud transformation projects take center stage, Active Directory plays a significant role in the resulting hybrid IT infrastructure.
As customers of Centrify Privileged Access Management (PAM), they drive yet more value out of Active Directory by using it to manage access and privilege across all their estates centrally – Windows, Linux, and UNIX – and to broker Active Directory identities to new cloud-based instances not located within their traditional network boundary. The latter is often driven by Zero Trust and zero standing privilege requirements.
Prevalent is using “alternate admin” or “dash-a” accounts to help mitigate the risk of a data breach in Active Directory infrastructures. Introduced by Microsoft in their Enhanced Security Admin Environment (ESAE) architecture, it’s still highly leveraged. Essentially, this approach gives admins two Active Directory accounts: one for everyday activity, the other for privileged activity. The goal is to ensure the latter is hard to compromise.
The driver for this is clear. Of the various account types used in an organization, privileged administrator accounts with full-fettered rights expose us to the most significant risk and are highly prized by bad actors.
How Alternate Accounts Help
To help mitigate the risk, we want to obfuscate the identities, reduce their exposure, and add more security controls for protection.
This is easier to actualize with a secondary user account dedicated to privileged activity. Thus, we give admins the usual enterprise identity for their everyday end-user tasks such as responding to emails, web surfing, or running desktop apps such as Word and PowerPoint. If this identity is compromised, the blast radius is contained, preventing elevation and lateral movement.
We reserve the other account(s) exclusively for privileged tasks, such as a database (DB) admin logging into a specific DB server and only running DB tools.
Let’s break that down a little more using the fake email addresses firstname.lastname@example.org and email@example.com as our example.
- Obfuscate: Although we call these “dash-a” accounts, there’s little value in using firstname.lastname@example.org since it’s easy for a bad actor to guess. We need high entropy, so we obfuscate the dash-a account ID. In our example, email@example.com.
- Reduce exposure: A big issue with user identities is public exposure. They’re on business cards, in LinkedIn, on social network postings, etc. The alternate admin account is distinct and never used outside the organization. This, along with obfuscation, makes it much harder for a bad actor to predict, discover, and compromise.
- Add more protection: Vault and strictly control access using role-based access controls, MFA, and just-in-time access request workflows. The admin never needs to know alternate admin account passwords. Password checkout (where the password is revealed) should be disabled. The vault handles admin login to servers using alternate admin accounts, injecting the vaulted password so it’s never exposed, and rotating it after each session. In addition, this reinforces “clean source” security principles (e.g., NIST 800-53 IA-4, CIS Controls v8 5.4) whereby privileged access should only be granted to non-public identities.
PAM Support for Alternate Accounts and MFA
Alternate accounts are cool. ThycoticCentrify embraces them. We’re the only PAM vendor with capabilities for:
- Automatically discovering alternate accounts in Active Directory
- Automatically associating them with their corresponding primary admin identity
- One-click single sign-on (SSO) to servers using the alternate admin account (if present)
- Privilege elevation on Windows, Linux, and UNIX using an alternate admin account
- AD Group Policies for Windows re-authentication and application elevation grace periods
It’s typical for alternate accounts to be created with full-fettered rights out of the gate. That flies in the face of best practices such as zero standing privileges.
However, with a least privilege approach, Centrify PAM can assign minimum rights to alternate accounts with the ability to elevate privilege just-in-time and with those rights automatically revoked once the task is complete. So even if a bad actor manages to compromise such accounts, their default state prevents their use to progress a data breach.
Our Latest MFA Capability
In our most recent product release, our unique handling and treatment of alternate accounts takes another leap forward. Administrators avoid the overhead of managing separate MFA second factor configurations for their various alternate accounts and keeping them aligned. Instead, they configure them once – for their primary user account. Any MFA policy that triggers for an alternate account will defer to the second factors defined on the primary account.
Quick, simple, and unified, delivering centralized MFA policy management and enforcement across all accounts. In this way, you can better structure and layer more effective forms of identity assurance to access more critical resources, thus further minimizing your risk of a data breach.
Stronger access controls, and a better user experience.
Visit our website to learn more about our PAM offerings to help get you on a path using alternate admin accounts and MFA everywhere.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.