Academy hub

From the Field: Least Privilege

๐Ÿ”Ž ๐—™๐—ฟ๐—ผ๐—บ ๐˜๐—ต๐—ฒ ๐—™๐—ถ๐—ฒ๐—น๐—ฑ โ€” Real-World Findings from Security Assessments

๐Ÿ’ฅ ๐Ÿณ๐Ÿญ.๐Ÿฐ%ย of infrastructures Iโ€™ve assessed ๐—ฑ๐—ผ๐—ปโ€™๐˜ ๐—ณ๐—ผ๐—น๐—น๐—ผ๐˜„ ๐˜๐—ต๐—ฒ ๐—น๐—ฒ๐—ฎ๐˜€๐˜ ๐—ฝ๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—น๐—ฒ๐—ด๐—ฒ ๐—บ๐—ผ๐—ฑ๐—ฒ๐—น.

General problem – but this is where it starts.

๐Ÿ’ป Users with ๐—น๐—ผ๐—ฐ๐—ฎ๐—น ๐—ฎ๐—ฑ๐—บ๐—ถ๐—ป ๐—ฟ๐—ถ๐—ด๐—ต๐˜๐˜€ on endpoints

๐Ÿ” Overprivileged service accounts thrown into ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—”๐—ฑ๐—บ๐—ถ๐—ป๐˜€

๐Ÿšซ โ€œ๐—œ๐˜ ๐—ท๐˜‚๐˜€๐˜ ๐˜„๐—ผ๐—ฟ๐—ธ๐˜€” instead of โ€œwhatโ€™s actually needed?โ€

This mindset ๐—ฑ๐—ฒ๐˜€๐˜๐—ฟ๐—ผ๐˜†๐˜€ ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐˜† to enforce real security.

๐Ÿ›  Use proper service accounts (MSA, gMSA, DMSA, VSA) โ€” and give them ๐—ผ๐—ป๐—น๐˜† ๐˜๐—ต๐—ฒ ๐—ฝ๐—ฒ๐—ฟ๐—บ๐—ถ๐˜€๐˜€๐—ถ๐—ผ๐—ป๐˜€ they truly need.

๐Ÿšซ You donโ€™t need Enterprise Admins to manage endpoints.

๐—œ๐—ป๐˜€๐˜๐—ฒ๐—ฎ๐—ฑ:

โœ… Implement a tiering model

โœ… Separate scopes and admin accounts

โœ… Limit access per tier

๐—ฆ๐—ผ๐—บ๐—ฒ๐˜๐—ต๐—ถ๐—ป๐—ด ๐˜๐—ผ ๐—ต๐—ฒ๐—น๐—ฝ ๐˜†๐—ผ๐˜‚ ๐˜‚๐—ป๐—ฑ๐—ฒ๐—ฟ๐˜€๐˜๐—ฎ๐—ป๐—ฑ (๐—ณ๐—ฟ๐—ฒ๐—ฒ):

๐—ง๐—ถ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐— ๐—ผ๐—ฑ๐—ฒ๐—น ๐—บ๐—ถ๐—ป๐—ถ-๐—ฐ๐—ผ๐˜‚๐—ฟ๐˜€๐—ฒ:

https://academy.horizon-secured.com/p/windows-infrastructure-security-tiering-model

๐—ฆ๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ ๐—”๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐˜€ ๐—บ๐—ถ๐—ป๐—ถ-๐—ฐ๐—ผ๐˜‚๐—ฟ๐˜€๐—ฒ:

https://academy.horizon-secured.com/p/active-directory-service-accounts

๐Ÿง  Every time you grant privileges โ€” ๐—ฝ๐—ฎ๐˜‚๐˜€๐—ฒ ๐—ฎ๐—ป๐—ฑ ๐—พ๐˜‚๐—ฒ๐˜€๐˜๐—ถ๐—ผ๐—ป ๐—ถ๐˜.

Avoid shortcuts. Delegate intentionally. Stick to least privilege.

buy a course