Privileged Identity Management
It is not uncommon to find large numbers of user accounts in groups like Domain Admins or other “supper user” type accounts. What is also not surprising is to find users that left the organization still being members of security groups that afford them the capabilities to do nearly everything. In Server 2016’s version of Active Directory we can time restrict group access and we can similarly also do the same in AAD with PIM.
Domain admins, SQL DBA’s and network administrators are the ultimate prize for hackers. Being a member of any of these groups will increase your vulnerability to hacking. It must be every organization’s goal to have zero permanent admins.
How can we accomplish this?
Your admins are identified as “eligible” for a role not “permanently” in the role. When an admin wants access to a role they;
· Apply for the elevation for a period of, for example, 2 hours
· We ask them to use MFA
· We ask them for a ticket ID
· We ask them for justification for access (what work will be done)