Internal threats embody not only malicious users but also those who might cause unintentional harm.The seemingly innocuous attempts to circumvent security measures by users that seek access to resources are but one example.
To secure administrative and critical accounts and associated groups, it is necessary to know what accounts and groups meet that criterion.As the introduction has established, the matter of managing the security for all account types in a network is very important to managing risk for a midsize business network.Internal and external threats must be taken into account, and the solution to these threats must balance the need for security with the functionality a midsize business demands from their network resources.For example, according to the principle of least privilege a person who has the role of domain administrator should only use an account that has the domain admin level privilege when performing tasks that require that level of access.Otherwise, when not performing tasks that require a higher level privilege, an administrator should use an account with standard access rights.Simply put, this principle states that all accounts should have the absolute minimum set of privileges that are necessary to complete the current tasks and nothing more.
This principle applies not only to users, but also for computers and the services that run on them.
All too often, users and services are granted access to greater privileges than necessary for reasons of convenience.
Although this approach guarantees users have access to the resources they need to do their jobs, it also increases the risk of a successful attack upon the network.
As explained in the previous section, unsecured administrator level accounts and service accounts present significant risks to the security of a midsize business network.
Given the complexity of network environments and rapid rates of growth most business networks experience, it is fairly common to find account management practices that have significant vulnerabilities.
This document consists of four main sections that provide information about securing administrator and service accounts in a midsize business environment.