CRITICAL
Domain Administrator
Full control over Active Directory. Single compromise can cascade to entire enterprise.
β
HIGH
Local Administrator
Per-device admin rights enabling lateral movement across endpoints in the estate.
β
HIGH
Service Accounts
Non-human accounts running workloads β often overprivileged and with static passwords.
β
ELEVATED
Application Accounts
Embedded credentials in apps and config files; often hardcoded and never rotated.
β
CRITICAL
Break-Glass Accounts
Emergency accounts that bypass all normal controls. Require extreme oversight.
β
HIGH
SSH Keys
Asymmetric key pairs for Unix/Linux access. Often unaudited and widely distributed.
β
HIGH
API Tokens
Machine-to-machine auth credentials. Frequently leaked in code repos and logs.
β
HIGH
Cloud IAM Roles
Identity fabric of public cloud. Misconfigurations expose entire cloud environments.
β
Why Privileged Account Management Matters
74%
of data breaches involve privileged credential abuse according to Verizon DBIR
3Γ more
costly than average breaches when privileged accounts are involved
10:1
ratio of privileged accounts to human employees in a typical enterprise
Critical
Risk Profile
Kingdom-level access. Compromise grants control over all objects in the AD domain β users, computers, GPOs, DNS, and trusts.
Domain trust escalation. Cross-domain and cross-forest trusts mean a single domain compromise can laterally expand to trusted domains.
Primary ransomware target. Attackers prioritize DA accounts to deploy GPO-based ransomware to all joined systems simultaneously.
Pass-the-Hash / Pass-the-Ticket. Credential hashes extracted from LSASS memory allow adversaries to impersonate DA without knowing plaintext passwords.
Common Misconfigurations
01
Non-expiring passwords set on DA accounts, defeating regular rotation policies
02
DA accounts used for interactive desktop logins, exposing credentials in LSASS
03
Overprovisioned "DA by default" memberships for IT staff who only need helpdesk rights
04
Shared domain admin accounts with no individual accountability or audit trail
05
DA accounts with SPN registrations, making them targets for Kerberoasting attacks
How Delinea Manages Domain Administrator Accounts
01 / DISCOVER
AD Discovery & Enumeration
Delinea Secret Server and Privilege Manager connect to Active Directory via LDAP to automatically enumerate Domain Admin group members, privileged OUs, and nested group memberships.
Scans Domain Admins, Schema Admins, Enterprise Admins groups
Detects stale, disabled, and orphaned privileged accounts
Maps cross-domain trust relationships
02 / VAULT
Credential Vaulting & Rotation
DA credentials are stored in Secret Server's encrypted vault with RBAC-governed access. Automatic password rotation ensures credentials are changed after every checkout, eliminating shared knowledge.
AES-256 encrypted vault with HSM integration
Configurable rotation schedules (daily/post-checkout)
Just-In-Time privilege elevation for temporary DA access
03 / MANAGE
Session Management & Audit
All DA sessions are proxied through Delinea's session recording engine, capturing keystrokes and video. Real-time alerts fire on anomalous DA behavior such as unauthorized GPO modifications.
Full session recording with searchable transcripts
Workflow-based approval for DA checkout requests
SIEM integration for real-time DA activity alerting
β¦ Knowledge Check β Domain Administrator
βΌ
Which attack technique allows an adversary to impersonate a Domain Admin without knowing the plaintext password?
Pass-the-Hash leverages NTLM hashes extracted from LSASS memory. With the hash, an attacker authenticates without ever cracking the password. Delinea mitigates this by rotating passwords after every checkout, making captured hashes instantly stale.
High
Risk Profile
Lateral movement highway. Identical local admin passwords across machines means one compromised endpoint unlocks hundreds of others via the same credential.
Security tool bypass. Local admin can disable EDR agents, clear event logs, and modify firewall rules to conceal attacker activity.
Data exfiltration staging. Full filesystem access enables attackers to stage and encrypt data before exfiltration or ransomware detonation.
Common Misconfigurations
01
Uniform local admin password across all endpoints (the "golden image" password problem)
02
Built-in Administrator account (RID 500) left enabled and undiscovered
03
End users placed in local Administrators group for "convenience" by helpdesk
04
Local admin accounts not included in PAM scope β considered "low risk"
How Delinea Manages Local Administrator Accounts
01 / DISCOVER
Endpoint Discovery
Privilege Manager deploys lightweight agents to Windows, macOS, and Linux endpoints. Discovery scans enumerate every local account, group membership, and privilege assignment across the entire estate.
Agentless and agent-based discovery options
Detects hidden RID-500 and renamed built-in accounts
Identifies standard user accounts in Administrators group
02 / VAULT & ROTATE
LAPS-style Unique Passwords
Delinea replaces Microsoft LAPS with a centralized, enterprise-grade solution. Each endpoint receives a unique, randomly generated local admin password stored and rotated from Secret Server.
Per-machine unique passwords β eliminates lateral movement risk
Scheduled and on-demand rotation policies
Automatic rotation after any checkout
03 / LEAST PRIVILEGE
Privilege Manager Policy Engine
Remove standing local admin rights entirely. Delinea Privilege Manager's application policy engine elevates specific applications on-demand using Just-In-Time privilege, keeping end users as standard users.
Application allowlisting with contextual elevation
Self-service elevation with justification workflow
Real-time application reputation scoring
β¦ Knowledge Check β Local Administrator
βΌ
What is the primary security risk when all endpoints share the same local administrator password?
Uniform local admin passwords enable "pass-the-hash lateral movement" β once an attacker has the hash from one machine, they can authenticate to all other machines sharing that password. Delinea eliminates this by enforcing unique per-machine passwords stored in the vault.
High
Risk Profile
Static passwords never rotated. Service account passwords are frequently set once during deployment and never changed for fear of breaking dependent services.
Privilege creep. Service accounts accumulate excess rights over time through "it just needs Domain Admin to work" provisioning shortcuts.
Kerberoasting target. Service accounts with SPNs registered in AD are prime targets β attackers request their TGS tickets and crack them offline.
Common Misconfigurations
01
Passwords set with "Never Expire" AD flag and not rotated for years
02
Service accounts granted Domain Admin rights when only specific ACLs are needed
03
Multiple services sharing one service account credential, complicating rotation
04
Service account credentials stored in plaintext in config files on servers
05
Interactive logon rights granted to service accounts, enabling human use
How Delinea Manages Service Accounts
01 / DISCOVER
Dependency Mapping
Secret Server Discovery scans Active Directory and target systems to enumerate service accounts, map their dependencies (which services use which accounts), and identify SPNs registered for Kerberoasting exposure.
Windows Services, Scheduled Tasks, IIS AppPools, COM+ scanned
Dependency maps prevent rotation breakage
SPN inventory for Kerberoasting risk assessment
02 / VAULT & ROTATE
Safe Automated Rotation
Secret Server rotates service account passwords while simultaneously updating all dependent Windows Services, Scheduled Tasks, and IIS AppPools β preventing service disruption that historically blocked rotation.
Pre-rotation dependency check and validation
Simultaneous rotation across all dependent services
gMSA integration for automatic Windows credential management
03 / GOVERN
Lifecycle & Right-Sizing
Delinea's governance workflows enforce least-privilege provisioning for new service accounts and track entitlement reviews. Accounts with no recent activity are flagged for retirement.
Access certification campaigns for service account rights
Stale account detection and automated disable workflows
Least-privilege recommendations based on actual usage
β¦ Knowledge Check β Service Accounts
βΌ
What makes Kerberoasting particularly effective against service accounts in Active Directory?
Kerberoasting works because any domain user can request a Kerberos service ticket (TGS) for any account with an SPN. The ticket is encrypted with the service account's password hash, which the attacker can take offline and crack. Delinea enforces strong, regularly rotated passwords making offline cracking computationally infeasible.
Elevated
Risk Profile
Hardcoded secrets in source code. Credentials committed to Git repos are permanently exposed in history β even after removal β and frequently leaked via public repositories.
Config file exposure. Plaintext credentials in app.config, web.config, .env, and properties files are readable by any user with filesystem access.
No rotation capability. Hardcoded credentials cannot be rotated without a code change and redeployment, often taking weeks via change management.
Common Misconfigurations
01
Database connection strings with plaintext credentials committed to version control
02
Application accounts granted DBA-level DB access when read-only is sufficient
03
Shared application credentials used across dev, test, and production environments
04
CI/CD pipeline secrets stored in plaintext environment variables or pipeline logs
How Delinea Manages Application Accounts
01 / DISCOVER
Secrets Scanning
Delinea integrates with code repositories and CI/CD pipelines to scan for hardcoded credentials, API keys, and connection strings. Discovery agents scan filesystem paths for plaintext credential patterns.
Git, GitLab, Bitbucket secrets scanning integration
Filesystem regex scans for credential patterns
Pre-commit hooks to block credential checkins
02 / VAULT
Application Secret Injection
Replace hardcoded credentials with Secret Server API calls. Applications retrieve credentials at runtime via SDK or REST API, receiving dynamic, short-lived secrets instead of static passwords.
.NET, Java, Python, Node.js SDK integrations
REST API with OAuth 2.0 machine authentication
Kubernetes secrets injection via CSI driver
03 / MANAGE
Dynamic Secrets & Rotation
Delinea enables ephemeral credentials for applications β each request returns a freshly generated credential with a time-bound TTL. Database accounts are auto-created and destroyed per-session.
Ephemeral database accounts with automatic cleanup
TTL-based credential expiry (minutes to hours)
Zero standing access model for application secrets
β¦ Knowledge Check β Application Accounts
βΌ
Why does removing a hardcoded password from a Git commit NOT fully remediate the exposure?
Git's immutable history means deleted content is still present in earlier commits. Anyone with clone access can check out the old commit and read the credential. True remediation requires git filter-branch or BFG Repo-Cleaner to rewrite history AND immediate credential rotation β which Delinea's automated rotation capabilities enable.
Critical
Risk Profile
Bypass by design. Break-glass accounts must bypass MFA, conditional access, and RBAC to be useful in emergencies β the very controls that prevent misuse.
Credential sharing. Typically known by multiple senior staff, creating accountability gaps and difficulty determining who used the account when.
Misuse goes undetected. With no normal monitoring controls in place, unauthorized use of break-glass accounts is frequently not detected until long after the fact.
Common Misconfigurations
01
Credentials stored in email, shared drives, or physical envelopes with no access logging
02
No mandatory rotation after break-glass use β same credentials persist indefinitely
03
Break-glass accounts used for routine maintenance to "avoid the approval process"
04
No alerting when break-glass credentials are accessed or used
How Delinea Manages Break-Glass Accounts
01 / VAULT
Sealed Vault with Dual Control
Break-glass credentials are stored in dedicated Secret Server folders with dual-control checkout requirements. Two authorized individuals must simultaneously approve access β preventing single-person misuse.
Dual-control checkout (two approvers required)
Time-limited access windows (1β4 hours)
Immediate alert to CISO/SOC on any checkout attempt
02 / MONITOR
Real-Time Break-Glass Alerting
Any access to or use of break-glass accounts triggers immediate multi-channel alerts. Session recording captures every action taken during the emergency window with full keystroke logging.
SMS, email, and Slack/Teams alerts on access
Full session video and keystroke recording
Immutable audit log forwarded to SIEM
03 / ROTATE
Mandatory Post-Use Rotation
Secret Server automatically rotates break-glass credentials immediately after the session window closes or checkout is returned. The previous credential is rendered permanently unusable.
Automatic rotation triggered on session end
Post-incident review workflow with mandatory sign-off
Compliance report generated for every break-glass event
β¦ Knowledge Check β Break-Glass Accounts
βΌ
What security control does Delinea recommend to prevent a single disgruntled employee from misusing a break-glass account?
Dual-control (sometimes called "two-man rule") ensures no single individual can access the break-glass credential alone. Both approvers are alerted and their approval actions are logged, creating full accountability. Delinea Secret Server implements this natively as part of its checkout workflow engine.
High
Risk Profile
Uncontrolled proliferation. Authorized_keys files on servers contain dozens of public keys β many from former employees, contractors, and decommissioned systems β creating persistent backdoors.
Private key theft. Private keys stored on developer laptops, USB drives, or in home directories are stolen via malware or physical access, silently granting root access.
No rotation mechanism. Unlike passwords, SSH keys have no native expiry or rotation mechanism β once issued, they provide access indefinitely unless manually revoked.
Common Misconfigurations
01
No passphrase on private key files β stolen key = immediate root access
02
authorized_keys files contain keys for accounts that no longer exist in the organization
03
Root login via SSH enabled with public key authentication, bypassing su/sudo audit trails
04
Weak 1024-bit RSA keys still in use, vulnerable to factoring attacks
05
Key pairs shared among multiple users β no individual accountability
How Delinea Manages SSH Keys
01 / DISCOVER
SSH Key Inventory
Delinea Discovery scans target Unix/Linux servers to enumerate all authorized_keys files, identify public keys deployed across the estate, and map which private keys correspond to which server access.
Scans all user home directories for authorized_keys
Identifies orphaned keys with no matching user account
Detects weak key algorithms and bit lengths
02 / VAULT
Private Key Vaulting
Private keys are imported into Secret Server's encrypted vault. Users never directly possess private key files β instead they connect through Delinea's SSH proxy which injects the key transparently for the session duration.
Encrypted private key storage in Secret Server
Session-based key injection β user never sees private key
Ephemeral SSH certificate issuance via CA integration
03 / ROTATE & REVOKE
Key Lifecycle Management
Delinea automates SSH key rotation by generating new key pairs, deploying the new public key to authorized_keys, and retiring the old key in a single operation. Instant revocation removes terminated employee access immediately.
Automated key pair regeneration and deployment
Immediate revocation on user termination workflow
Certificate Authority model for short-lived SSH certificates
β¦ Knowledge Check β SSH Keys
βΌ
What is the primary advantage of Delinea's SSH proxy-based approach over traditional SSH key management?
When users connect through Delinea's SSH proxy, the private key never touches their endpoint. The proxy authenticates on behalf of the user using the vaulted key. This means a stolen laptop or infected workstation cannot yield a usable private key, eliminating the most common SSH key compromise vector.
High
Risk Profile
GitHub / public repo leakage. API tokens accidentally committed to public repositories are harvested by automated scanners within minutes of exposure.
Non-expiring tokens. Many platforms issue tokens with no expiry by default. Once issued, they silently authorize actions indefinitely β often outliving the developer who created them.
Over-scoped permissions. Developers request maximum API scopes to avoid repeated permission requests, creating tokens with far broader access than needed for the specific integration.
Common Misconfigurations
01
API tokens stored in .env files committed to version control or shared in Slack/email
02
Personal developer tokens used in production systems β tied to individual accounts
03
No token inventory β security teams cannot enumerate what tokens exist or who owns them
04
Tokens with admin/write scopes used for read-only integrations
How Delinea Manages API Tokens
01 / DISCOVER
Token Discovery & Classification
Delinea scans CI/CD pipelines, code repositories, configuration management systems, and secret scanning integrations to build a comprehensive inventory of all API tokens across the enterprise.
Regex-based token pattern detection across systems
GitHub Advanced Security and GitLab integration
Scope analysis β identifies overprivileged tokens
02 / VAULT
Centralized Token Storage
API tokens are vaulted in Secret Server with platform-specific templates for AWS, Azure, GitHub, Salesforce, ServiceNow, and hundreds of other platforms. Metadata tracking includes owner, scope, creation date, and last use.
Platform templates for 200+ SaaS integrations
Token ownership and expiry tracking
Secret Server REST API for application retrieval
03 / GOVERN
Token Lifecycle & Rotation
Automated workflows generate new tokens via platform APIs, update dependent systems, and revoke old tokens β completing the rotation cycle without manual steps. Expiry alerts prevent token blindness.
Automated rotation via platform OAuth flows
Expiry alerting 30/7/1 days before expiration
Immediate revocation workflow on employee departure
β¦ Knowledge Check β API Tokens
βΌ
A developer leaves the company. Their personal GitHub token was used in a production CI/CD pipeline. What is the immediate risk?
Personal tokens do not automatically expire when an employee departs β they persist until explicitly revoked by the token owner (who no longer works there) or an admin. This is why Delinea's token inventory with ownership tracking is critical: security teams can identify all tokens owned by departing employees and revoke them as part of the offboarding workflow.
High
Risk Profile
Blast radius at cloud scale. An overprivileged IAM role with AdministratorAccess in AWS can exfiltrate all S3 data, spin up crypto-mining infrastructure, and destroy all resources in the account.
Privilege escalation paths. IAM misconfigurations create chains β e.g., iam:PassRole + ec2:RunInstances β that allow users to elevate to admin without directly holding admin permissions.
Multi-cloud complexity. Enterprises running AWS, Azure, and GCP simultaneously have three separate IAM models with different concepts, controls, and audit capabilities to manage.
Common Misconfigurations
01
AWS IAM users with long-lived access key pairs never rotated (AKID/SAK pairs)
02
EC2 instance profiles with AdministratorAccess attached "temporarily" and forgotten
03
Azure Service Principals with Contributor role at subscription scope β excessive blast radius
04
Cross-account role trust policies with wildcard principal (* trust), allowing any account to assume the role
05
No SCPs or Permission Boundaries limiting what even privileged roles can do
How Delinea Manages Cloud IAM Roles & Identities
01 / DISCOVER
Cloud IAM Discovery
Delinea Cloud Suite connects to AWS, Azure, and GCP APIs to enumerate all IAM users, roles, service principals, and managed identities. It maps permissions, trust relationships, and identifies privilege escalation paths.
AWS IAM, Azure AD, GCP IAM simultaneous discovery
Privilege escalation path analysis (PassRole chains etc.)
Access key age and usage tracking
02 / VAULT
Cloud Credential Management
AWS IAM access keys and Azure Service Principal secrets are vaulted in Secret Server with automated rotation. Delinea integrates with AWS STS to issue short-lived, role-assumed credentials instead of long-lived access keys.
IAM Access Key rotation with dependent system updates
AWS STS role assumption for ephemeral credentials
Azure Managed Identity integration for keyless auth
03 / GOVERN
Just-In-Time Cloud Access
Delinea Cloud Suite enables Just-In-Time provisioning for cloud admin access β users request a specific IAM role for a defined time window, the role is granted, session is recorded, and privileges are revoked automatically.
JIT role assignment with time-bounded TTL
AWS CloudTrail + Azure Monitor integration for session context
Zero standing privileges model for cloud admin roles
β¦ Knowledge Check β Cloud IAM
βΌ
An AWS user has iam:PassRole and ec2:RunInstances permissions but NOT iam:CreateRole. Why is this still a privilege escalation risk?
This is a classic IAM privilege escalation chain. iam:PassRole allows the user to attach any existing IAM role to an EC2 instance. By running an instance with an AdministratorAccess instance profile, the user can then query the IMDS (169.254.169.254) to retrieve temporary admin credentials. Delinea's IAM analysis engine detects these multi-step escalation paths that simple permission audits miss.