What is privileged access management (PAM)?
Protect your organization from cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources.
Types of privileged accounts
Super user accounts are privileged accounts used by administrators who have unrestricted access to files, directories, and resources. They can install software, change configurations and settings, and delete users and data.
Privileged accounts provide access and privileges beyond those of non-privileged accounts (e.g., standard user accounts and guest user accounts).
Domain administrator accounts
Domain administrator accounts are the highest level of control in a system. These accounts have access to all workstations and servers across your domain and control system configurations, admin accounts, and group memberships.
Local administrator accounts
Local administrator accounts have admin control over specific servers or workstations and are often created for maintenance tasks.
Application administrator accounts
Application administrator accounts have full access to specific applications and the data stored in them.
Service accounts help applications interact with the operating system more securely.
Business privileged user accounts
Business privileged user accounts have high-level privileges based on job responsibilities.
Emergency accounts provide unprivileged users with admin access to secure systems in the event of a disaster or disruption.
Privileged access management best practices
As you plan for and implement your PAM solution, there are best practices to keep in mind to help improve security and mitigate risk in your organization.
Require multifactor authentication
Add a layer of protection to the sign-in process with multifactor authentication. When accessing accounts or apps, users must provide additional identity verification through another verified device.
Automate your security
Reduce the risk of human error and increase efficiency by automating your security environment. For example, you can automatically restrict privileges and prevent unsafe or unauthorized actions when a threat is detected.
Remove end-point users
Identify and remove unnecessary end-point users from the local admins group on IT Windows workstations. Threat actors can use an admin account to jump from workstation to workstation, steal other credentials, and elevate their privileges to move through the network.
Establish baselines and monitor deviations
Audit privileged access activity to see who is doing what in the system and how privileged passwords are being used. Knowing what the baseline is for acceptable activity helps you to spot deviations that may compromise your system.
Provide just-in-time access
Apply the least-privilege policy to everything and everyone, then elevate privileges as needed. This will help you segment systems and networks to users and processes based on levels of trust, needs, and privileges.
Avoid perpetual privileged access
Consider temporary just-in-time access and just-enough access instead of perpetual privileged access. This helps ensure that users have a valid reason for such access and only for the time required.
Use activity-based access control
Grant privileges only to the resources a person actually uses based on their past activity and usage. Aim to close the gap between privileges granted and privileges used.
Learn more about Microsoft Security
Identity and access solutions
Protect your organization with secure access for all of your users, smart devices, and services.
Privileged identity management
Ensure your admin accounts stay secure by limiting access to critical operations.
Keep your workforce secure by enforcing granular access control with real-time adaptive policies.
Identity and access management (IAM) consists of rules and policies that control the who, what, when, where, and how of access to resources. These include password management, multifactor authentication, single sign-on (SSO), and user lifecycle management.
Privileged access management (PAM) has to do with the processes and technologies necessary for securing privileged accounts. It is a subset of IAM that allows you to control and monitor the activity of privileged users (who have access above and beyond standard users) once they are logged into the system.
Robust session management is a PAM security tool that lets you see what privileged users (people in your organization who have root access to systems and devices) are doing once they are logged in. The resulting audit trails alert you to accidental or deliberate misuse of privileged access.
Privileged access management (PAM) can be used to strengthen your organization’s security posture. It lets you control access to your infrastructure and data, configure your systems, and scan for vulnerabilities.
Benefits of a PAM solution include mitigating security risks, reducing operational costs and complexity, enhancing visibility and situational awareness across your organization, and improving your regulatory compliance.
When deciding on a PAM solution for your organization, be sure that it includes multifactor authentication, session management and just-in-time access features, role-based security, real-time notifications, automation, and audit and reporting features.