Properly securing privileged accounts is a basic security tenet and often a priority for servers. Unfortunately, the same level of concern is not present for desktops in many organizations. Yet desktops\laptops often contain as much sensitive information as servers and have done so for many years.
Most desktops\laptops have information that doesn’t make it to servers yet is extremely sensitive and valuable. Think about what is on the laptops of the CEO, the HR director, the software architect, or the CFO in any given organization. Much of this information on these systems can create serious risks if compromised as any data on an organizations file or database server. Endpoint security too often focuses solely on the threat of malware and hackers, but ignores the simple threat of insecure privileged user accounts.
For Windows systems, privileged accounts are any accounts that are in the Administrators group. Often there is at least one account that is used by an organizations IT helpdesk team to provide assistance. There is a dirty secret about this account: it is the same account name and password across the entire organization. Often this comes with:
- One password to all machines
- Limited password cycling
- No auditing of shared account usage
- Lack of compliance
The answer to this issue is privileged account management for desktops. Organizations may already be addressing this for servers through configuration best practices or tools. With desktops, it can be a tricky proposition when remote service must be provide for hundreds or thousands of systems. Arellia’s whitepaper Local Administrator Security: IT’s Dirty Little Secret discusses the impact of this risk associated with no privileged account management, why it is so common on desktops, and how to remediate the issue.
About Arellia: Arellia provides solutions for privilege management, application whitelisting, securing local administrator accounts, and compliance remediation. Arellia products are integrated with the Symantec Management Platform and sold through Symantec.