One of the CIS Top 20 controls suggests maintaining an 'Inventory of Administrative Accounts'. Does Active Directory not do this for you though to an extent with the default admin group members such as domain admins which you could query at any point in time?
How do you collect the data to populate such an inventory and what specific groups memberships go into it? In what format do you maintain the inventory and is it dynamically populated or a manual process to keep it up to date? What level do you go down to, e.g. domain, OS, applications/database, applications etc? I appreciate in theory every device/server/database/mai
lbox could have a differing set of administrators although in practice there would be a lot of commonality across the environment.
Another it suggests in the CIS Top 20 is 'Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.'. In your experience of doing pen tests/vulnerability assessments, is there any common types of accounts that are common across systems joined to the network that may use the same passwords? I know how such tests take place but having some clue on where passwords are often replicated across systems would be interesting.