Show Menu

Security Problem Over-Privileged Accounts Cheat Sheet (DRAFT) by [deleted]

This is a draft cheat sheet. It is a work in progress and is not finished yet.


During a persistent attack, intruders will gain access to various accounts. If they stumble upon a highly privileged account suddenly they can take a giant leap forward and bypass everything we’ve done to slow them down and detect them. The worst thing is when the account they get access to is one that should never have had that amount of authority in the first place – an over-p­riv­ileged account.

Such security assess­ments are far too common. It will bebe difficult to stop this security violation but we need to put controls in place to prevent or at least notice when accounts have become over privil­eged. Here are 8 ways over-p­riv­ileged accounts commonly arise and corres­ponding techniques for preventing them and tips for detecting them with the Windows Security Log where possible

Causes of Over Privileged Accounts

1. Granting inappr­opriate logon session type rights
2. Re-use of accounts
3. Lack of designated ownership for non-human accounts
4. Unreviewed job changes
5. Direct entitl­ements: failure to use groups
6. Out of control nested groups
7. Temporary emergency entitl­ements that never get removed
8. Lack of data or applic­ation owner involv­ement