We help IT Professionals succeed at work.
Get Started

Inventory of Administrative Accounts and Use Unique Passwords

81 Views
Last Modified: 2020-03-19
One of the CIS Top 20 controls suggests maintaining an 'Inventory of Administrative Accounts'. Does Active Directory not do this for you though to an extent with the default admin group members such as domain admins which you could query at any point in time?

https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/

How do you collect the data to populate such an inventory and what specific groups memberships go into it? In what format do you maintain the inventory and is it dynamically populated or a manual process to keep it up to date? What level do you go down to, e.g. domain, OS, applications/database, applications etc? I appreciate in theory every device/server/database/mailbox could have a differing set of administrators although in practice there would be a lot of commonality across the environment.

Another it suggests in the CIS Top 20 is 'Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.'. In your experience of doing pen tests/vulnerability assessments, is there any common types of accounts that are common across systems joined to the network that may use the same passwords? I know how such tests take place but having some clue on where passwords are often replicated across systems would be interesting.
Comment
Watch Question
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
Unlock 1 Answer and 1 Comment.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant

An Experts Exchange subscription includes unlimited access to online courses.

Get Started
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE