Skip to main content

Skillber v1.0 is here!

Learn more

Privileged Account Types

Checking access...

Privileged accounts come in many forms, each with distinct characteristics, risk profiles, and management requirements. A complete PAM program must identify and manage every type of privileged account across the enterprise — including accounts that may not be immediately obvious as “privileged.”

On-Premises Privileged Accounts

Local Administrator Accounts

Built-in administrator accounts on individual servers, workstations, and network devices.

AccountDefault UsernameDefault PrivilegesRisk Level
Windows Local AdminAdministratorFull control over local machineHigh
Linux Rootroot (UID 0)Full control over Linux systemVery High
macOS RootrootFull control over macOS systemHigh
Network Device Adminadmin, cisco, enableFull device configuration accessVery High

Key risks: Shared default passwords across machines, credential reuse, static passwords rarely rotated, difficult to attribute actions to individuals.

Management approach: Use Local Administrator Password Solution (LAPs) or similar to automatically manage unique passwords per machine.

Domain Administrator Accounts

Active Directory domain accounts with elevated privileges across the domain or forest.

TypeScopeTypical CountRisk if Compromised
Domain AdminSingle AD domain5-20 per domainFull control over all domain-joined systems
Enterprise AdminEntire AD forest2-10 per forestFull control over all domains in forest
Schema AdminAD schema1-5 per forestCan modify AD schema (irreversible changes)
Built-in Admin (Administrator)Domain1 per domainDefault domain admin account (often overused)

Key risks: Standing admin rights, over-provisioned (many users who don’t need daily admin access), infrequent rotation, hardcoded in scripts and scheduled tasks.

Service Accounts

Service accounts are non-human identities used by applications, services, and automated processes. They are the most frequently overlooked privileged account category.

TypeDescriptionPrivilege LevelPrevalence
Windows Service AccountRuns Windows services, scheduled tasksVaries (often LOCAL_SYSTEM or NETWORK_SERVICE)Very High
Managed Service Account (MSA)AD-managed service account with automatic password managementDomain-joined serviceMedium
Group MSA (gMSA)MSA shared across multiple serversDomain-joined serviceIncreasing
Linux Daemon AccountRuns background services (nginx, mysql, postgres)Application-specificVery High
Database Service AccountRuns database engine, replicationHigh (direct data access)High

Key risks: Service accounts often have standing admin rights, passwords never expire (set to “password never expires”), orphaned when applications are decommissioned, no individual accountability (shared credentials).

Caution

Service accounts typically outnumber user accounts by 3:1 in large enterprises. They represent the largest blind spot in most PAM programs. If you have not conducted a service account discovery in the last 12 months, start there.

Managed vs Unmanaged Service Accounts

PropertyTraditional Service AccountgMSA (Group Managed Service Account)
Password managementManual (often never rotated)Automatic (AD-managed, rotated regularly)
SPN managementManualAutomatic
Multi-server supportManual configurationNative (gMSA can be used on multiple servers)
DelegationManual configurationAutomatic (supported by AD)
Script/stored credential riskHigh — password often in scriptsNone — password not exposed
Recommended?LegacyYes

Application-to-Application (A2A) Accounts

A2A accounts are used for machine-to-machine authentication between applications, APIs, and microservices.

TypeDescriptionAuthentication Method
API KeysStatic tokens passed in API headersHMAC, bearer token
OAuth Client CredentialsOAuth 2.0 client_id + client_secretJWT assertion, client secret
Service PrincipalsCloud identity for applicationsCertificate, password
Mutual TLS CertificatesX.509 certificates for mTLSCertificate-based
Database Connection StringsEmbedded credentials for DB accessUsername/password in connection string

Key risks: Hardcoded credentials in configuration files, no audit trail (who used the API key?), difficult to rotate without downtime, exposed in source code repositories and CI/CD pipelines.

SSH Keys

SSH keys provide passwordless authentication to Unix/Linux systems. They are widely used for automation, system administration, and file transfers — and equally widely mismanaged.

SSH Key TypeTypical UseCommon Issues
User SSH KeysIndividual admin access to Linux serversNo centralised management, keys persist after employee departure
Host SSH KeysServer identity verification (known_hosts)Rarely managed, host key rotation during DR is complex
Automation SSH KeysUsed by scripts, Ansible, Jenkins, backup toolsKeys stored in scripts, config files, CI/CD variables
Root SSH KeysPasswordless root accessExtreme risk — root key compromise = full system compromise

Tip

Treat SSH keys as privileged passwords. Implement SSH key management with: centralised key storage, automatic key rotation, key usage monitoring, and removal of keys from user home directories. Target 100% discovery and management of all SSH keys in the enterprise.

Cloud Privileged Accounts

Cloud IAM Roles

Cloud ProviderPrivileged RolePermissionsRisk
AWSAdministratorAccessFull access to all AWS resourcesCritical
AWSPowerUserAccessFull access except IAMVery High
AzureGlobal AdministratorFull access to all Azure AD and management featuresCritical
AzurePrivileged Role AdministratorManage Azure AD rolesVery High
GCProles/ownerFull resource access + IAM managementCritical
GCProles/editorFull resource access (except IAM)Very High

Cloud-Specific Privileged Account Types

Account TypeDescriptionManagement Challenge
Cloud Console Root UserAWS account root, Azure tenant root, GCP super adminExtreme sensitivity — shared email/password
Cloud Service PrincipalsAzure AD app registrations and service principalsProliferation — every app creates multiple principals
AWS IAM RolesAssumed roles with temporary credentialsComplex permission boundaries and trust policies
GCP Service AccountsGCP-specific service identitiesLarge numbers — enterprises often have 1000s
Cloud API KeysGoogle API keys, Azure subscription keysExposed in mobile apps, web clients

Emergency / Break-Glass Accounts

Accounts created specifically for emergency access when normal PAM systems are unavailable.

TypeCharacteristicsManagement Requirements
Firecall / Break-GlassEnabled only during emergenciesOffline storage, dual custody, tamper-evident packaging
Local Admin BypassLocal accounts with privilegesUnique credentials per system, emergency-only use
Disaster Recovery AccountsPre-created for DR scenariosStored securely, tested during DR exercises
Console AccessDirect console (out-of-band) accessRequires physical access, limited to authorised personnel

Danger

Break-glass accounts are a necessary evil. Each one is a standing privileged account that bypasses normal controls. They must be: (1) physically secured, (2) logged every time they are accessed, (3) automatically rotated after use, and (4) audited monthly even if unused.

Privileged Account Discovery

Discovery MethodWhat It FindsFrequency
Active Directory scanDomain admin groups, privileged AD users, service accountsWeekly
Local system scanLocal admin group members, SUID binaries, sudoersMonthly
Network scan + brute forceDefault credentials, shared local accountsQuarterly
Cloud API enumerationIAM roles, service principals, admin usersWeekly
SSH key scanAuthorized_keys files, known_hosts filesMonthly
Configuration managementHardcoded credentials in config files, scripts, CI/CDContinuous

Key Takeaways

  • Privileged accounts span on-premises (local/domain admin), service accounts, A2A, SSH keys, cloud IAM roles, and emergency accounts — each requires specific management approaches
  • Service accounts outnumber user accounts 3:1 and are the most overlooked privileged account category — conduct service account discovery at least annually
  • SSH keys are effectively privileged passwords and require centralised management including rotation, monitoring, and removal from user home directories
  • Cloud privileged accounts include IAM roles (Owner/Global Admin), service principals, and API keys — cloud complexity makes discovery and management more challenging than on-premises
  • Break-glass accounts are standing privileges that bypass normal controls — they must be physically secured, logged, rotated after use, and audited monthly
  • Continuous privileged account discovery is essential — use multiple methods (AD scan, local scan, cloud API enumeration, SSH key scan) to achieve comprehensive coverage