Why You Need to Audit Privileged Access in Active Directory

Abhishek Rai by   11.17.2017   Data Security

If you’re not tracking permissions and the access your privileged users have to servers and data, you could be in danger of being taken advantage of.

A recent report, published in Data Breach Digest by Verizon Enterprise, suggests that nearly 22% of organizations in Administrative support, 23% in Healthcare and Social Assistance and 22% in Public Administration faced data breaches resulting from insider threats and privilege misuse this year.

Now it is true that, for some tasks, employees may need extra privileges granted to them…but do you always remember to roll them back after the task is complete? An employee is unlikely to tell you when they no longer need that privileged access, it’s up to you to keep a close watch.

Why should you be concerned about excessive privileges?

Two words – insider threats. As we now know, the risks associated with insiders abusing their privileges to leak or misuse sensitive corporate data are severe. You should be concerned because, right at this moment, it’s incredibly likely that there are users inside your critical systems, with access to your sensitive data, and if they feel like it they could cripple your business. How would you know if these people, who essentially have the keys to your kingdom, start copying, moving or modifying files and folders? Usually you won’t find out until the results of a data breach begin to manifest themselves.

Why does privileged user abuse happen?

It can happen for a number of reasons, including disgruntled employees taking advantage of relaxed privileged user monitoring. Therefore, it’s incredibly important that all employees should only have the privileges they need to keep organizational data safe.

Even if you completely trust your employees, you never really know which what someone is capable of. So, don’t give them the chance! Trust isn’t a security strategy. Implement the policy of least privilege as soon as possible and constantly monitor your privileged users!

Employee Mistakes

By far the most common cause of privilege abuse is simply human error. The higher the levels of privilege the account holder has, the more potential damage they could accidentally inflict. That’s why we recommended that you shred user accounts of all extra privileges – giving them skeleton access to your systems and data.

For example, let’s imagine one of your users unintentionally clicks on a malicious code in a browser, or downloads a malicious file, and unintentionally executes malware. If the user has excessive privileges, the virus may get access to sensitive data and resources. However, if the user has normal privilege, then the executable file cannot install itself, as it requires administrative privileges. Without the executable file, the virus cannot be activated in the environment.

Credentials Theft

Your Active Directory is a priority target for external hackers as it is the backbone of your network. If an attacker got access a user account’s credentials, they could potentially steal a lot of valuable information. Imagine the damage that could be caused if an attacker got hold of a domain administrator’s credentials…they could essentially move throughout your systems at will, causing untold damage! You should really make sure that the password policies applied to domain administrators are strictly followed so that you don’t give these attackers a chance at all.

Ease of monitoring

By now, you know how important it is to monitor your privileged users. So, it stands to reason that the fewer privileged users you have, the easier your job is going to be. If you only have a handful of these privileged users, then it will be much easier to detect and take action when you spot the signs of privilege abuse through continuous monitoring.

What can you do to stop privileged abuse?

Identify, document and report on your current privileged accounts. Do it for both privileged groups as well as privileged users. Verify group membership and nested group memberships and check user-built groups to find out who has made them and for what purpose.

The principle of least privilege (POLP) ensures that a user only has the permissions they need to do their job. So, if a user changes their role within the business, the permissions they need have to be re-assessed. You should continuously monitor the activities of all privileged users and track permission changes to reduce the possibility of privilege abuse. A good Active Directory auditing solution, like LepideAuditor for Active Directory, can really help you track privilege user activities and permission changes.

I encourage you to download and take advantage of the 15-day free trial of LepideAuditor and see how it can help you improve your privileged user tracking.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.