Further Reading: Privileged Access Management

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order below; you do not need to read everything before Chapter 20.

Suggested order

  1. Read Microsoft's Enterprise Access Model / tiering guidance first — it is the clearest articulation of why privileged credentials must not cross tiers, and it underlies the whole chapter (🏗️).
  2. Skim NIST SP 800-53 Access Control (AC) family for the control language auditors and frameworks use (📋📜).
  3. Read CISA's guidance on phishing-resistant MFA and privileged access for the operational priorities (🛡️🏗️).
  4. Keep the MITRE ATT&CK pages for Credential Access and Lateral Movement open as you re-read §19.1 — they name the exact techniques the escalation ladder uses (🛡️).

Standards & primary documents (Tier 1)

  • Microsoft, Securing privileged access and the Enterprise Access Model (formerly the AD tier model). 🏗️📜 The canonical source for tiered administration, privileged access workstations, and the rule that higher-tier credentials never appear on lower tiers. The single most important external reading for §19.4; the figures in this chapter are built on its model.
  • Microsoft, Local Administrator Password Solution (LAPS) documentation. 🏗️ The reference for the cheapest large win in the chapter — unique, rotated local-admin passwords. Read it before you do anything else in a real environment.
  • Microsoft, Privileged Identity Management (PIM) documentation (Microsoft Entra). 🏗️🛡️ The best-known just-in-time implementation: eligibility vs. membership, time-bound activation, approval workflows. Maps directly onto §19.3.
  • NIST SP 800-53 Rev. 5, Security and Privacy Controls — Access Control (AC) family. 📋📜 The authoritative control catalog for least privilege (AC-6), separation of duties (AC-5), and least functionality; the language your auditors and frameworks speak. Pair with §19.1 and the Project Checkpoint.
  • CIS Controls v8 — Control 5 (Account Management) and Control 6 (Access Control Management). 📋📜 Concise, prioritized, and explicitly call out privileged-account management, MFA for admins, and access control. A practical checklist for the chapter's controls.
  • CISA, Phishing-Resistant MFA and related privileged-access advisories. 🛡️🏗️ Government guidance on hardening privileged access and authentication; grounds the JIT-plus-MFA-at-activation argument in current operational priorities.
  • MITRE ATT&CK — tactics TA0006 (Credential Access) and TA0008 (Lateral Movement). 🛡️ The shared language for the escalation ladder: OS Credential Dumping (T1003), Pass-the-Hash (T1550.002), Valid Accounts (T1078). Re-read §19.1 with these open and the abstract ladder becomes concrete tradecraft to detect.

Free online & vendor guidance (Tier 1 / Tier 2)

  • Microsoft, guidance on credential theft, pass-the-hash, and Credential Guard. 🏗️🛡️ Explains the technical mechanics of why a harvested credential is so dangerous and the platform defenses (e.g., isolating LSASS) that complement PAM at the endpoint. (Tier 1 for the product docs; treat specific mitigation efficacy claims as Tier 2 and verify against your own environment.)
  • NIST SP 800-207, Zero Trust Architecture. 🏗️📜 Read the sections on per-session, continuously verified access to see where JIT and least-privilege sessions are heading; this chapter's controls are the privileged-access on-ramp to the zero-trust architecture of Chapter 32.
  • Open-source PAM and secrets projects' documentation (e.g., HashiCorp Vault). 🏗️ Useful to see vaulting, brokering, and dynamic/short-lived credentials implemented concretely — though full coverage of secrets and machine identity is Chapter 20's subject. (Tier 2: read the conceptual docs; do not treat any one vendor's model as the only one.)

Books (Tier 1)

  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Covers privileged access management, JIT, and account management at exam depth; a solid companion for certification candidates working through this chapter.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 The IAM domain treats privileged access, separation of duties, and accountability for shared accounts in depth; use it alongside Part IV.
  • Anderson, R., Security Engineering (3rd ed.). 🏗️ For the deeper "why" — how access-control and privilege failures actually play out in real systems, and the engineering mindset behind layered administrative defenses. Dip into the access-control material.

Tools to explore (in your own lab only)

  • LAPS in a lab domain. 🏗️ Stand up a small Active Directory lab and deploy LAPS; watch a previously shared local-admin password become unique and self-rotating. The most instructive single experiment in this chapter.
  • Entra PIM in a free/developer tenant. 🏗️🛡️ Configure a role as eligible rather than assigned, set an activation window and an approver, and observe the workflow and the logs an activation produces — the raw material for the §19.6 detections.
  • An AD-attack lab range (defensive use only). 🛡️ Safe, intentionally vulnerable lab environments let you observe credential harvesting and lateral movement in telemetry so you can recognize them — then practice writing the detections that catch them.

⚖️ Authorization & Ethics reminder: Several resources here describe credential-theft and lateral-movement techniques, and some lab ranges simulate them. Study them to defend — to recognize the behavior in your logs and to build the controls that break the escalation ladder. Apply these techniques only in environments you own or are explicitly authorized to test (Chapter 39). The same knowledge that protects the keys to the kingdom is, misapplied, a crime.