Key Takeaways: Privileged Access Management

A one-page reference. Reread before an exam or before designing a privileged-access program. Dense by design.

The core vocabulary (memorize cold)

Term One-line definition Example (Meridian)
Privileged account An account that can administer accounts, change security settings, or control infrastructure Domain admin, root, DBA, backup operator, the PAM admin
Service account A non-human account running an app/task, often elevated (Ch.20 owns it) svc-backup nested into Domain Admins
Credential vaulting Storing privileged secrets in an audited vault and brokering access so humans needn't know a password to use it Vault injects the domain-admin password; Sam never sees it
Password rotation Auto-changing credentials on a schedule / after each use to shorten a stolen credential's life Check-in rotation after every domain-admin session
Just-in-time (JIT) access Granting privilege only for a bounded window, auto-removed — no standing access by default Admin is eligible for Domain Admins, activates for 60 min
Tiered administration Partition admins/systems by sensitivity; higher-tier creds never used on lower tiers Tier 0 (DCs) / Tier 1 (servers) / Tier 2 (laptops)
Privileged access workstation (PAW) A dedicated, hardened machine used only for admin — no email, no web Tier 0 PAW for domain administration
Session recording/monitoring Tamper-resistant capture of what is done in a privileged session Keystroke + screen capture of CDE admin sessions
Break-glass account A highly privileged emergency account, offline + alerting, for when PAM/MFA is down Two sealed accounts in the data-center safe

The escalation ladder (know it cold)

foothold → local priv-esc → credential harvest → lateral movement → domain admin → domain dominance
   |            |                 |                   |                  |               |
 phished    user is        dump LSASS /        pass-the-hash /     harvested DA     mass ransomware,
 laptop    local admin   harvest logged-on    pass-the-ticket      cred = own AD    delete backups
            (free!)        privileged creds    (replay, no crack)

The asymmetry (Theme 2): attacker needs the chain to complete once; defender breaks it at every rung, assuming earlier rungs failed (Theme 4). PAM = severing this ladder.

The control → rung map (what stops what)

Control Rung it breaks How
Remove local-admin from users 2 (local priv-esc) Attacker must find an exploit, not inherit admin
LAPS (unique, rotated local-admin pw) 4 (lateral movement) Harvested local hash works on one machine, dies in a day
Vaulting + check-in rotation 3 (harvest) Credential dead the moment the session ends
JIT + approval 5 (escalation) Stolen account is unarmed; activation is noisy + blockable
Tiering + PAWs (enforced) 3 (harvest) Privileged cred never exposed on a reachable low-trust host
Session recording / monitoring 3–6 Accountability + forensic record; real-time can terminate
Detections (D1–D6) 3–6 Out-of-band privileged logon etc. — abuse is loud after PAM
Offline / off-domain backups 6 (recovery inhibition) Domain admin can't reach/delete them

Vaulting & rotation

  • Vault = single audited home for privileged secrets; brokers access (use without knowing).
  • Restores individual accountability to shared accounts (who checked it out, when, why).
  • Rotation: scheduled (bounds silent-theft lifetime) and check-in/one-time (gold standard — credential dead at session end).
  • LAPS = the cheapest large win; unique + rotated local-admin passwords kill the shared-local-admin lateral-movement highway.

JIT & approval workflow

  • Eligibility, not membershiptime-boxed activation (auto-revoke) → approval (separation of duties) → MFA at activationticket binding. Default state of every powerful account: off.
  • Collapses the attack window (e.g., 168 h/week standing → ~3 h/week activated, ≈98% reduction).
  • Decay watch: windows too long + rubber-stamped approvals = "JIT in name only." Track privileged-hours granted/week.
  • JIT = least privilege (Ch.3/17) extended into the time dimension; first step toward zero trust (Ch.32).

Tiering & PAWs

  • Tiers: 0 = control plane (DCs, AD, PAM vault, PKI, IdP); 1 = servers/apps/DBs; 2 = workstations.
  • Rule: higher-tier credential never used on a lower tier. Admins keep two accounts (daily Tier 2
  • admin Tier 0).
  • Must be enforced (OS-level logon restrictions / auth policies), not policy-on-a-slide. Alert if a Tier 0 credential appears on Tier 2 (should be impossible).
  • PAW = dedicated, hardened, allowlisted (Ch.11), no email/web — removes malware-delivery surface from where privileged creds are used.

Session recording & detecting abuse

  • Recording serves accountability/deterrence, audit/compliance (PCI/SOX/FFIEC), and forensics (Ch.24). Real-time monitoring can alert on / terminate a dangerous session.
  • Disclose it; scope to privileged sessions; protect the recordings.
  • Privileged activity has a low, predictable baseline → deviations are high-fidelity. The controls create the detections: after PAM, a privileged logon with no vault checkout is anomalous by construction.
  • Break-glass: deliberate, monitored exception — offline/sealed, long/random, alert on every use, tested + rotated. Never a backdoor.

Certification crosswalk

Concept CompTIA Security+ (ISC)² CISSP domain
Privileged accounts, least privilege, PAM 4.0 Security Operations; 1.0 General Concepts Identity & Access Management (IAM)
Vaulting, rotation, JIT 4.0 Security Operations IAM; Security Operations
Tiered administration / PAW 3.0 Security Architecture Security Architecture & Engineering
Separation of duties (JIT approval) 5.0 Governance, Risk & Compliance Security & Risk Management
Session recording / monitoring / detection 4.0 Security Operations Security Operations
Privilege escalation / lateral movement / pass-the-hash 2.0 Threats, Vulnerabilities & Mitigations Security Operations; Comms & Network Security

Project additions this chapter

  • Meridian program: the PAM Standard + the domain-admin lockdown — privileged inventory → vaulting/rotation (LAPS first) → JIT with approvals → tiering + PAWs → session recording → detections → two break-glass accounts.
  • bluekit toolkit: pam.pyprivileged_inventory(accounts) (flags NOT_VAULTED / STANDING_ACCESS / SHARED_NO_RECORDING / STALE_CREDENTIAL) and jit_window(req) (denies un-approved Tier 0/1; clamps to the tier's max minutes).

Common pitfalls

  • Inventorying only the named admins (miss service accounts, backup operators, nested groups, security-tool admins).
  • Relying on strong passwords against pass-the-hash (replay needs no cracking; you need unique-per-machine
  • rotation).
  • "JIT" with 8-hour windows and rubber-stamped approvals (standing access with extra steps).
  • Tiering "on paper" with no OS-level enforcement (violated under pressure).
  • Putting email/web on a PAW (re-introduces the exact attack surface it exists to remove).
  • Treating the break-glass account as exempt from monitoring/rotation (turns the safety valve into a backdoor).
  • Online, domain-reachable backups (domain admin owns them too — a privileged-access problem, not only a backup problem).