Avatar of Pau Lo
Pau Lo
 asked on

Inventory of Administrative Accounts and Use Unique Passwords

One of the CIS Top 20 controls suggests maintaining an 'Inventory of Administrative Accounts'. Does Active Directory not do this for you though to an extent with the default admin group members such as domain admins which you could query at any point in time?

https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/

How do you collect the data to populate such an inventory and what specific groups memberships go into it? In what format do you maintain the inventory and is it dynamically populated or a manual process to keep it up to date? What level do you go down to, e.g. domain, OS, applications/database, applications etc? I appreciate in theory every device/server/database/mailbox could have a differing set of administrators although in practice there would be a lot of commonality across the environment.

Another it suggests in the CIS Top 20 is 'Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.'. In your experience of doing pen tests/vulnerability assessments, is there any common types of accounts that are common across systems joined to the network that may use the same passwords? I know how such tests take place but having some clue on where passwords are often replicated across systems would be interesting.
Operating SystemsActive DirectorySecurity

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck