Privileged Access Management

A privileged account is an account, which - if compromised would allow an attacker to damage or disrupt a University service, change, delete or manipulate data or otherwise cause material damage to the reputation or running of the University through costly downtime and recovery actions.
Privilege accounts need to be managed more carefully than ‘normal’ user accounts.

Privileged accounts (local or domain admin, service accounts, root accounts etc.) are required for legitimate operational purposes as they are used to manage University IT services, systems and data. However, they are also prime targets for attackers as they have higher levels of permissions that will help the attackers carry out their malicious activities.

Privilege Account Controls.

Privilege accounts need to be managed more carefully than ‘normal’ user accounts. The following controls should be used wherever practicable:

1. Separation of duties a. Privileged accounts must only be used for specific tasks that require elevated permissions. Routine administration tasks, such as checking emails or browsing the internet, should not be done with such accounts. b. If separate accounts for privileges and personal use exist, tasks must be effectively separated between the two.

2. Password management a. Default passwords must be changed to strong, hard to guess passwords. b. Unlike ‘normal’ user passwords, privilege account passwords should be changed regularly.

3. A password manager such as LastPass should be used to store these passwords. LastPass has a feature that will generate random, strong passwords and can check if user selected passwords are ‘strong’.

4. Proper processes for groups a. If a group of people or team need to use the same privileged account, the account username should not be the default username, and password rules should follow the same guidance as detailed in point 2. b. Passwords should not be shared via email or in a Teams message. Instead, create a shared folder on LastPass and keep it secure.

5. Use the least privilege principle. Accounts should have the lowest level of privileges and/or permissions required to do their job.

6. Set appropriate expiration dates a. Set up regular reviews of privileged accounts and disable accounts that are no longer needed e.g., if a user has changed roles and no longer needs a privileged account with a previous team. b. Set expiration dates for privileged accounts for third parties.

7. Enable Multi-factor Authentication (MFA) on privileged accounts wherever possible.


Related Links

LastPass Basics

LastPass Common Questions

Sharing with LastPass