6.4.2. Privileged Account Management
💡 First Principle: Privileged accounts are the keys to the kingdom — a single compromised domain admin, root, or cloud administrator account can bypass every security control in the organization. Privileged access management exists to ensure these accounts are used only when needed, only by authorized individuals, only for authorized purposes, and with full accountability for every action taken.
Why privileged accounts are different:
| Property | Standard Account | Privileged Account |
|---|---|---|
| Blast radius | User's own data and applications | Entire domain, all systems, all data |
| Attack value | Low — limited lateral movement | Critical — immediate full compromise |
| Monitoring need | Standard audit logging | Full session recording, command-level audit |
| Access model | Standing (always available) | Just-in-time (granted per task, auto-revoked) |
PAM architecture components:
- Credential vaulting — privileged passwords stored in an encrypted vault, never known to administrators. The vault issues credentials for each session and rotates them after use. No human memorizes or retains the password.
- Just-in-time (JIT) access — privileges are granted only for the duration of an approved task. An administrator requests "4 hours of database admin access for patching," the PAM system grants it, and access auto-revokes when the window expires. Between approved windows, the privileged account effectively does not exist as a target.
- Session recording — every keystroke, command, and screen interaction during a privileged session is recorded for forensic review. This deters abuse and provides evidence for investigations.
- Privileged access workstations (PAWs) — dedicated hardened workstations used exclusively for administrative tasks. Domain admin credentials are never used from general-purpose workstations that also browse the web and check email.
Tiered Active Directory administration (Tier 0/1/2):
| Tier | Controls | Examples | Key Rule |
|---|---|---|---|
| Tier 0 | Domain controllers, AD infrastructure | DC admin, KRBTGT, AD schema | Tier 0 credentials NEVER touch Tier 1 or 2 systems |
| Tier 1 | Member servers, applications | Server admin, database admin | Tier 1 credentials never touch Tier 0 or Tier 2 |
| Tier 2 | Workstations, user devices | Helpdesk, workstation admin | Tier 2 credentials never touch Tier 0 or 1 |
The tiered model prevents a compromised workstation from yielding credentials that can reach domain controllers. Each tier is an isolation boundary — credentials used at one tier cannot authenticate to another.
⚠️ Exam Trap: Shared privileged accounts (multiple admins using the same root or admin password) eliminate individual accountability. If three administrators share a domain admin password and unauthorized changes are made, forensic investigation cannot attribute the action to a specific individual. PAM with individual checkout and session recording solves this — each administrator checks out a unique session, and all actions are recorded under their identity.
Reflection Question: A post-breach investigation reveals the attacker used a service account password that was hardcoded in a configuration file five years ago, never rotated, and known to three former employees. Describe the PAM controls that would have prevented this attack vector and explain why credential vaulting with automatic rotation addresses the root cause.
