CYBER SECURITY GOLD:
Do any of your Service Accounts have "interactive log on" permissions??
IMHO, the single greatest attack surface mitigation you will ever get is to actively manage identity and access management aspects of your SERVICE ACCOUNTS.
Think about the potential... you probably have more non-human service accounts than authorized human accounts in your network... what a treasure trove of potential accounts to compromise by an attacker... not to mention third party maintenance accounts...
- ? How often, if ever, do you change the passwords on ALL of your Service Accounts?
- ? When was the last time you checked that NONE of your Service Accounts have either in error or by a threat actor in your Enterprise Network, been granted "interactive logon" rights ?
Here is a great Powershell automated way to test for "interactive logon" rights for your service accounts.
Hat's off to the great Guy Leech for his scripting skills share...
No comments:
Post a Comment