Home »The CyberArk Blog »7 Types of Privileged Accounts: Service Accounts and More
November 1, 2017Amy Burnis
Privileged accounts exist in many forms across the enterprise environment and they pose significant security risks if not protected, managed and monitored. The types of privileged accounts typically found in an enterprise environment include:
- Local Administrative Accounts are non-personal accounts that provide administrative access to the local host or instance only. Local admin accounts are routinely used by the IT staff to perform maintenance on workstations, servers, network devices, databases, mainframes, etc. Often, for ease of use, they have the same password across an entire platform or organization. Using a shared password across thousands of hosts makes local administrative accounts a soft target that advanced threats routinely exploit.
- Privileged User Accounts are named credentials that have been granted administrative privileges on one or more systems. This is typically one of the most common forms of privileged account access granted on an enterprise network, allowing users to have administrative rights on, for example, their local desktops or across the systems they manage. Often these accounts have unique and complex passwords. The power they wield across managed systems makes it necessary to continuously monitor their use.
- Domain Administrative Accounts have privileged administrative access across all workstations and servers within the domain. While these accounts are few in number, they provide the most extensive and robust access across the network. With complete control over all domain controllers and the ability to modify the membership of every administrative account within the domain, having these credentials compromised is often a worst case scenario for any organization.
- Emergency Accounts provide unprivileged users with administrative access to secure systems in the case of an emergency and are sometimes referred to as ‘firecall’ or ‘breakglass’ accounts. While privileged access to these accounts typically requires managerial approval for security reasons, it is usually an inefficient manual process that lacks any auditability.
- Service Accounts can be privileged local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have domain administrative privileges depending on the requirements of the application they are being used for. Local service accounts can interact with a variety of Windows components, which makes coordinating password changes difficult.
- Active Directory or Domain Service Accounts make password changes even more challenging, as they require coordination across multiple systems. This challenge often leads to a common practice of rarely changing service account passwords, which represents a significant risk across an enterprise.
- Application Accounts are accounts used by applications to access databases, run batch jobs or scripts or provide access to other applications. These privileged accounts usually have broad access to underlying company information that resides in applications and databases. Passwords for these accounts are often embedded and stored in unencrypted text files, a vulnerability that is replicated across multiple servers to provide greater fault tolerance for applications. This vulnerability represents a significant risk to an organization because the applications often host the exact data that APTs are targeting.
For information on how to protect privileged accounts, please read the rest of our brief guide, which also highlights best practices: “The Three Phases of Securing Privileged Accounts.” You can also find guidance on how to prioritize your approach for effective, risk-based privileged access management.
Previous Article
Understanding and Selecting a Secrets Management Platform
Understanding and Selecting a Secrets Management Platform
Next Article
Four Critical Steps for Securing API Keys in Your Organization’s Cloud Workloads
Automation enables organizations to leverage the dynamic capabilities of the cloud. Today, enterprises are ...
- ‹
- ›
CyberArk SaaS Solutions Achieve FedRAMP® High Authority
I’m honored to share that CyberArk is FedRAMP® High Authorized and ready to support U.S. federal agencies in securing access to critical government data and systems, meeting Zero Trust mandates...
Read Article
How to Align Your Security Strategy with NIST Cybersecurity Framework 2.0
After a decade in the making – or waiting, as the case may be – the National Institute of Standards and Technology (NIST) has released the first major revision to its Cybersecurity Framework...
Read Article
Why Identity Security Is Essential to Cybersecurity Strategy
In the modern digital landscape, cybersecurity isn’t just a technical challenge – it’s a business imperative. At the heart of cybersecurity is identity security – the principle that the right...
Read Article
Why Your Organization Needs Dynamic Secrets and Rotation
In today’s rapidly evolving digital landscape, organizations confront a formidable array of cyber threats, with attacks and data breaches becoming increasingly prevalent. As businesses embrace...
Read Article
How Time, Entitlements and Approvals (TEA) Can Secure the Keys to Your Cloud
A popular topic of conversation in my day-to-day work is how to secure privileged access to cloud management consoles and workloads. And that’s no surprise, considering more and more applications...
Read Article
Why Machine Identities Are Essential Strands in Your Zero Trust Strategy
Just like a snagged strand can ruin your garment, overlooking the security of machine identities can tear the very fabric of Zero Trust that protects your organization from bad actors. As a quick...
Read Article
Enterprise Browser: The Gateway to Securing All Identities
With new identities, environments and attack methods dominating today’s threat landscape, cybersecurity leaders are hyper-focused on securing identities to safeguard enterprises. However, a...
Read Article
CIO POV: 3 Considerations as the 2024 Cyber Roller Coaster Gathers Speed
If the first month-plus of 2024 is any indication, this year is likely to be anything but ordinary in the cybersecurity realm. In January alone, a triad of events unfolded, each more riveting than...
Read Article
APT29’s Attack on Microsoft: Tracking Cozy Bear’s Footprints
A new and concerning chapter has unfolded in these troubled times of geopolitical chaos. The Cozy Bear threat actor has caused significant breaches targeting Microsoft and HPE, and more are likely...
Read Article
Redefining PAM to Secure OT and IoT Devices
Left to their own devices, your organization’s devices can be a significant source of risk. Consider operational technology (OT), which is crucial for organizations but is not engineered and...
Read Article
Elevating Cloud Security With Well-Architected Practices
It’s said that life truly begins when you step out of your comfort zone. Living in California provides me with many options for hiking and trekking, a perfect backdrop for spending time with...
Read Article
GenAI’s Role in Upskilling to Close the Cybersecurity Skills Gap
The cybersecurity industry has a major people problem: it doesn’t have enough of them. The global shortage of more than 4 million cybersecurity workers isn’t a new phenomenon, but as digital and...
Read Article
Why Identity Security Requires More Than ITDR
Identity Threat Detection and Response (ITDR) is one of many aspects of an effective identity security program. Yet despite what some detection and response-focused vendors may argue, ITDR is not...
Read Article
3 Things About 2023’s Threat Landscape That Shapes My 2024 CIO POV
2023 was a tumultuous year that drove technology transformations at a pace unknown. The industry saw an accelerated and unrivaled pace of technology adoption, persistent yet evolving challenges...
Read Article
Securing High-Risk Access with Reimagined PAM Controls: A Customer Story
My team and I were on a call with a customer who saw a critical need to secure access to his company’s cloud service provider (CSP) containers. Our conversation comes to mind often, because it...
Read Article
CyberArk Labs’ 2023 Threat Research Highlights
Throughout an eventful 2023, CyberArk Labs remained focused on uncovering emerging cyberattack patterns and producing threat research aimed at helping organizations strengthen their identity...
Read Article
Secure Identities With These Five Intelligent Privilege Controls
If you’re reading this, a major part of your job is making the case for security-related issues you know are urgent. You may be among the 97% of CISOs being asked to present to their...
Read Article
Why Intelligent Privilege Controls Are Essential for Identity Security
“If we can control identity, we can stop most modern attacks. And if you control identity, then you control every perimeter, application, container – effectively every part of the environment.” –...
Read Article
Exploring the Risks of Read-Only Access in the Cloud
My career began with read-only access. In my first job, I worked night shifts in a data operations center. Our team handled incidents identified either by monitoring or from end customers. This...
Read Article
How to Meet Cyber Insurance Requirements When All Identities Are at Risk
The growing frequency and sophistication of cyberattacks, especially on the ransomware front, have compelled even more companies to seek cyber insurance coverage. But as the need for coverage...
Read Article
