Solved

Jump box to restrict Privileged Accounts in AD

Posted on 2016-11-07
4
49 Views
Last Modified: 2016-11-11
Does anyone use a jump box to restrict access to privileged administrator accounts in AD?  If not, do you utilize a third part, identity management solution?
0
Comment
Question by:Robert Rosenthal
  • 2
4 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
Yes it is used to create a centralised one stop to aggregate remote administration access. Also to avoid direct console access and form a sort of digital CCTV foot print to record action taken. Identity access management system is also required as the jumphost will have it main account in aync from the IAMS. For the jumphost, it can host a password vault. The 2FA support of jumphost is value add as all remote administration is mandated to have it.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Robert, could you describe what you mean by jump box? What is the scenario you are talking about and what should the measure protect exactly?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
Comment Utility
You can look at 3rd parties like Thycotic and CyberArk, even Centrify as well.

You should not have anyone using THE domain-admin account, users that need domain admin (or any higher priv acct), should have secondary accounts that are used in those cases.
username_x is the normal domain account
username_x-da (or whatever your org uses, some use sa or ds etc) is the higher priv account.
You should probably prevent interactive login with the higher priv accounts.

Have a look at this video to help with even more details and concepts around jump-boxes. You should have network acl's and other firewall rules associated with these hosts as well: http://www.irongeek.com/i.php?page=videos/derbycon6/207-deploying-paws-as-part-of-a-strategy-to-limit-credential-theft-and-lateral-movement-bill-v
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
If you are having to have a dedicated jumphost appliance mostly for compliance, Exceedium is another option that admins should connect to a permission access manager (PAM) that monitors and records all activity. A quick overall solution profile include Wallix, CyberARK, Xceedium and Dell Quest that uses jump hosts; Observe-IT, Centrify and TSFactory are agent based, while Intellinx is a network sniffer.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now