The Keys to the Kingdom
In every organization, some accounts have more power than others. A regular user account can access email and shared drives. A domain admin account can reset any password, access any file, install software on any machine, and modify security policies across the entire network. These privileged accounts are the number one target for attackers — because compromising one means owning everything.
As IT support staff, you likely have elevated privileges. You may have local admin rights on workstations, access to Active Directory, or the ability to reset passwords and manage group policies. This access is necessary for your job, but it also makes you a high-value target and increases the potential damage from a mistake.
The Principle of Least Privilege
The principle of least privilege (PoLP) states: every user, process, and system should have only the minimum permissions necessary to perform its function — and nothing more.
This sounds simple. In practice, it is one of the hardest security principles to implement and maintain because:
- Users request "just in case" access to systems they rarely need
- Administrators grant broad permissions to avoid repeated access requests
- When people change roles, their old permissions often remain (privilege creep)
- Service accounts are created with admin rights "to make it work" and never reduced
Giving a help desk technician domain admin rights is acceptable as long as they only use those rights for help desk tasks.
Why Least Privilege Matters
- Limits blast radius — If an account is compromised, the attacker can only do what that account is authorized to do. A user account compromise is bad; a domain admin compromise is catastrophic.
- Reduces insider risk — Employees can only accidentally (or intentionally) damage what they can access.
- Supports compliance — Regulations like SOC 2, HIPAA, and PCI DSS require access controls based on least privilege.
- Simplifies auditing — When permissions are well-scoped, it's easier to track who accessed what and why.
Admin Account Hygiene
If you have administrative privileges, follow these rules without exception:
Separate Your Accounts
- Standard account — For email, browsing, document editing, and daily work. No admin rights.
- Admin account — Used only for administrative tasks. Never used for email or web browsing.
Why? Because email and web browsing are the primary attack vectors. If your admin account gets phished or your browser downloads malware, the attacker gets admin privileges. By separating accounts, a compromise of your daily-use account doesn't hand over the keys to the kingdom.
Admin Account Rules
- Never browse the web with an admin account — Not even to look up a Microsoft KB article
- Never check email with an admin account — Use your standard account for all communication
- Use admin accounts only on secured admin workstations — Ideally a Privileged Access Workstation (PAW) or jump server
- Enforce MFA on all admin accounts — No exceptions, hardware keys preferred
- Use different passwords — Your admin password must not match your standard account password
- Audit admin account usage — Review logs regularly for unexpected admin activity
A colleague on the help desk team tells you they use their domain admin account for everything — email, web browsing, help desk tickets, and admin tasks. They say it's more convenient than switching between accounts and that they're careful about what they click. How do you respond?
How would you respond? Choose the best option:
Privileged Access Management (PAM)
PAM is a set of tools and practices for controlling, monitoring, and auditing privileged access. Even if your organization doesn't have a formal PAM solution, understanding the concepts helps you manage admin access responsibly.
Core PAM Concepts
- Credential vaulting — Admin passwords stored in an encrypted vault (like CyberArk, BeyondTrust, or even KeePass for smaller teams). Nobody memorizes admin passwords — they're checked out from the vault when needed.
- Just-in-time (JIT) access — Admin privileges are granted only when needed and automatically revoked after a set time. Instead of permanent admin rights, you request elevated access for a specific task and duration.
- Session recording — Admin sessions are recorded for audit and forensic purposes. If something goes wrong, you can replay exactly what happened.
- Privilege elevation — Users request temporary elevation for specific tasks rather than having permanent admin rights. Similar to Linux
sudo— escalate for one command, not for the entire session.
Practical PAM Without Enterprise Tools
Even without a CyberArk deployment, you can implement PAM principles:
- Use a password manager for admin credentials — Store admin passwords in a team-accessible vault (Bitwarden, KeePass)
- Implement time-limited admin groups — Use scheduled tasks or scripts to add users to admin groups and remove them after a defined period
- Enable admin audit logging — Ensure Windows Security Event logs capture privileged operations (Event IDs 4672, 4624, 4648)
- Review admin group membership monthly — Who is in Domain Admins? Enterprise Admins? Local Administrators? Can you justify every member?
Separation of Duties
Separation of duties ensures that no single person can complete a high-risk action alone. This prevents both accidental damage and insider threats.
Examples
- The person who requests a firewall change should not be the person who approves it
- The person who writes code should not deploy it to production without review
- The person who creates user accounts should not be the same person who assigns permissions
- Backup administrators should not have delete rights on the systems they back up
It's acceptable for a single IT administrator to have the ability to both create user accounts and assign those accounts to the Domain Admins group without any approval process.
Privilege Creep: The Silent Risk
Privilege creep occurs when users accumulate permissions over time as they change roles, join projects, or receive "temporary" access that is never revoked.
Common Causes
- Employee transfers between departments without access review
- Temporary project access that becomes permanent
- "Clone the permissions of user X" when onboarding — inheriting everything including inappropriate access
- Vendor or contractor accounts that persist after the engagement ends
Fighting Privilege Creep
- Quarterly access reviews — Every manager reviews their team's access and confirms it is still appropriate
- Role-based access control (RBAC) — Define roles with specific permissions. When someone changes roles, they get the new role's permissions and lose the old role's.
- Automated deprovisioning — When HR processes a role change or termination, access is automatically adjusted
- Access request audit trails — Every permission grant should be traceable to a request and approval
Key Takeaways
- Separate your admin and daily-use accounts — Never browse the web or check email with admin credentials
- Apply least privilege everywhere — Give exactly the access needed, nothing more
- Admin rights are not a convenience — They are a responsibility and a risk that must be carefully managed
- Review and prune access regularly — Privilege creep is inevitable without active management
- Separation of duties prevents catastrophic mistakes — No single person should control an entire critical process
- PAM principles apply at every scale — You don't need enterprise tools to vault passwords, limit admin sessions, and audit privileged activity