RE: Emergency Access Accounts
I was reading up on Microsoft Security (you should really bookmark and read this stuff if you work with Microsoft — https://docs.microsoft.com/en-us/security/) recently. You should probably do it too. Interesting stuff in there.
One bit stuck out for me — emergency accounts — casually mentioned in the Security Rapid Modernization Plan (RAMP) section — https://docs.microsoft.com/en-us/security/compass/security-rapid-modernization-plan.
As I read, I recalled working for a startup a long time ago where we created an “all-else-fails” set of accounts that were domain administrator with all security permissions. We turned on auditing to the maximum and set up alerts if it was ever used. The password was set by the CEO and written down on a piece of paper, sealed in an envelope, and placed in a safe in his office.
While I was employed there, we never had occasion to use the magical account, and it was never used otherwise. I’ve often wondered how many companies have accounts like this — fail-safes — in place. So it was particularly amusing to me this morning as I read the guidance that this should show up again. With all the technology out there to protect us from baddies and hostile nation-states, it’s important to recall that sometimes the enemy is employed alongside you, and you need to protect against that too.
With all the behavioral monitoring (UEBA, etc) that happens these days in the SIEM and other dedicated systems, I often wonder if there is a need for something like an emergency fail-safe account like we had…but apparently, it’s still recommended. Makes me wonder how many companies out there do not have this type of set-up, and what they would do if suddenly the people who are their security administrators — the ones with the full access to everything (hopefully not “everything”) — went rogue.
Might be an interesting discussion for a podcast topic on Down the Security Rabbithole Podcast, or maybe Indistinguishable from Magic (yes, I have two podcasts now, want to fight about it, or would you prefer to click over and listen?)
What do you think ?— do you employ this tactic? Have you had to fall back on it? Would you want to talk about it?