Time to Ditch Big-Brother Accounts for Network Scanning

Yaron Kassner, CTO and co-founder of Silverfort, discusses why using all-seeing privileged accounts for monitoring is bad practice.

In almost every network, there is a highly privileged service account remotely connecting to all computers. These accounts are usually used by backup, security or monitoring solutions. But using such accounts to remotely login to systems on the network introduces unnecessary risk — it’s a bad practice, and an avoidable one.

An attacker can easily take advantage of these privileged accounts, as follows. 

First, the attacker obtains access to a computer in the network. This can be done by exploiting vulnerabilities, phishing, a supply-chain attack and many other techniques. Then the attacker waits for the service account to connect to the compromised computer. When this happens, the attacker steals the credentials of the service account, and thus obtains domain administrator privileges. From this point forward, it becomes very hard to stop the attacker from complete domain takeover.

It’s important to note that this scenario is not theoretical. This attack vector is very common, since it is so easy to execute.

Many organizations are aware of this threat, and yet they continue to maintain these highly privileged service accounts.

Read More: https://threatpost.com/domain-admin-accounts-scan-network/177194/