generic AD accounts and security best practices.

We have an internal application only accessible via our private network that from time to time the local police authority require access to for safeguarding issues/investigations etc, which they are entitled to access. Due to the size of the police force, and number of officers who could request access - setting them up with an AD account each isn't really practical. As well the requests for access can be urgent and the SLA with our helpdesk requires 48 hours minimum for a new AD account, so that isn't always going to be practical either. The workaround was to create a generic AD account for them and disable it when not in use.

From a security/auditing perspective, our plan was to keep a separate audit log of when the generic AD account logged in, which police officer used it,  times of login/logout, records they requested access to. Can you think of anything else from an AD perspective we would need to do to ensure the login is restricted to only allow them to access this application? Or anything else you would add in the audit log's/process? Obviously the AD account would need to be very limited, anything in particular that you'd suggest around the account itself from a security best practice?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

btanConnect With a Mentor Exec ConsultantCommented:
In fact, the audit trail should be no different from the user account mgmt audit trails. Specifically for your use case, beside those audit trail suggested to be enabled (reference CIS benchmark for hardening Windows system), you can add granular audit under "Advanced Audit Policy Configuration" and others - see this reference on the list of setting #
Some salient ones for considerations include
...for Policy Change
Audit MPSSVC Rule-Level Policy Change: The Microsoft Protection Service setting determines whether the OS generates audit events when changes are applied to policy rules for this service (used by the Windows Firewall). Activities tracked include policies active when the Windows Firewall service starts, changes to Windows Firewall rules, exception list, and settings, rules ignored or not applied and changes to Windows Firewall Group Policy settings.

..for Privilege Use
Audit Sensitive Privilege Use: Determines whether the OS generates audit events when sensitive privileges are used. Some examples include: Act as part of the OS, Back up files and directories, Create a token object and Debug programs

..for System
Audit System Integrity: Determines whether the OS generates audit events when the integrity of the security subsystem may have been violated, including the following events: audited events lost owing to a failure of the auditing system; a process uses an invalid local procedure call to impersonate a client, reply to a client address space, or read from or write to a client address space, an RPC integrity violation is detected, a code violation with an invalid hash for an executable file is detected or when cryptographic tasks are performed.

...for Global object access
File System: Enables administrators to configure a global SACL on the file system for an entire computer. If both a file and folder SACL are defined, the effective SACL may be determined by combining the file or folder SACL and the global SACL, where an audit event is generated if an activity matches any of the file, folder or global SACL.
Registry: Enabled administrators to configure a global SACL on the registry for a computer, where selecting the Configure security checkbox lets admins add a user or a group to the global SACL. Must be used in tandem with the Registry security policy setting under object access.
You should also looked for any other remote access for the host machine authorised for the 3rd party entities - it should not differs. Some may even have "keylogger" installed in those host machine to access remotely.

For hoslistic oversigh of privileged account or 3rd party account access & right granted over time or during adhoc request period, it is suggested having a centralised oversight system such as "jumphost" to enforce such privileged identity management. For example, in this use case, the Policy entities will be given account and provision for on demand purposes to access to the application system. Specifically, there are already such PIMS, for e.g. Suite include On-Demand Privileges Manager that records detailed command level activity performed so that you can better track those session activity for security auditing and forensic purposes, if required. Check out the latest report by the research company  
Beyond multifactor
authentication (MFA) and security assertion markup language (SAML) compatibility, a PIM solution
needs be able to do four things: 1) provide its own, web-based channel for access; 2) provide its
own, tamperproof password safe (credential storage); 3) spawn, monitor, and intercept privileged
Windows and Linux sessions (privileged session monitoring, or PSM); and 4) control privilege
escalation on the endpoint (such as sudo replacement and revoking administrative rights on
Windows from end users)
btanExec ConsultantCommented:
The proposed audit coverage is included as part of oversight and also importantly the use of privileged identity mgmt to centrally oversee 3rd party access administration is good security practice to deter and detect early sign of abuse by administrator.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.