Validating the security credentials
Organizations should limit the number of ways by which privileged users can get into a system.
If a development team is coming in remotely to do work, they should be limited to encrypted connections.
Organizations still need knowledgeable people who can look at this data and say, “Yes, the user who checked out the credential was assigned to do so.” Therefore, enterprises not only need to put a monitoring process in place with the appropriate tools and level of activity monitoring; but more importantly, and sometimes the most difficult part of this process, it’s also necessary to have the knowledge to correlate and make decisions based on whether or not the actions were appropriate for the activity.
In addition to these two processes, it’s important to remember that there are additional security solutions that should be applied.
A copy of the SAM is also stored here, although it is write-protected.
The following diagram shows the components required and the paths that credentials take through the system to authenticate the user or process for a successful logon.
Whatever method of retrieval is used, there needs to be a paper trail to indicate who checked out the credentials, the amount of time spent doing so, and, most importantly, why these credentials were needed.
Regardless, it’s important to keep in mind that just because the individual had a good reason to check out the credential, this process doesn’t guarantee that’s what the credentials were used for.
Application or service logons not requiring interactive logon.It’s also important to limit when and who can work off-hours, to ensure only trusted and well-vetted administrators are on the network during non-business hours.It is important to remember that if an organization doesn’t currently have a monitoring tool, there are other ways to monitor the users.For example, SSL VPN or IPSec tunnels, or ideally admittance from locally segmented LANS with access only to the development systems, are approaches.This will prevent any potential snoopers on the network ports from capturing the credentials from the privileged users’ sessions.