This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

ARM Privilege Escalation Management

Hi All,

I've been asked to see if there is an MFA options for accessing ARM or an effective privilege management option we could use for accessing ARM. The idea that we prevent users using their day to day accounts to run ARM, as if the account is compromised it could give an attacker the keys to the kingdom.

I'm aware we can enter credentials for actions, though this would mean having known admin credentials and poses the same issue, or have an admin approve all actions, though this may be restrictive for a number of reasons in a limited 24x7 operation.

We currently use Cyberark for other privilege access (such as the AD users and computers snap-in and RDP to servers, as this has separate managed accounts linked to an MFA logon where the passwords for the admin accounts are complex, not known to the user are rotated frequently. We're looking at whether we can run ARM via cyberark but wondered if there is anything built in or in the pipeline to minimise the risk of using ARM?

Thanks

Kip

  • Hi there,
    the users don't need to  use their day to day accounts to access ARM. You can access ARM with any AD account configured to access ARM.

    And the users don't need to know any admin account to use ARM. Just store the account credentials for accessing and changing resources in ARM.
    For example we have restricted the accounts to access and change resources. Our account for getting fs permissions has only RO permissions.
    Or the account for setting fs permissions is a local admin account an the file server. And you may think of using one account per file server.

  • Thanks for the reply, however I think it misses the point. We already use separate scanning / change accounts to perform changes but I was talking about the accounts users log in to ARM with, to action changes.

    If a service desk user logs in to ARM with their AD credentials, and these users have the ability to create and manage user accounts (through the change accounts assigned in ARM) there is a concern that if the user's account is compromised this could give access to ARM to make unauthorised changes. Having MFA would at least add to the protection of privilege escalation through the use of ARM.

    Kip