Module Introduction
The Privileged Account Landscape
Privileged accounts are the master keys of your enterprise infrastructure. Every system, application, and cloud service relies on some form of elevated access — and each represents a potential attack vector when unmanaged. Select any account type below to explore its risk profile and Delinea's approach to securing it.
Industry Context: According to Verizon's Data Breach Investigations Report, over 74% of all breaches involve a human element — and privileged credentials are the most sought-after targets. Every unmanaged privileged account increases your blast radius.
Domain Administrator
Full control over Active Directory forests and all domain-joined resources.
● Critical Risk
Local Administrator
Elevated rights on individual endpoints, servers, or workstations.
● High Risk
Service Accounts
Non-human identities that run background services, tasks, and applications.
● High Risk
Application Accounts
Embedded credentials within applications for database and system access.
● High Risk
Break-Glass Accounts
Emergency access accounts for crisis scenarios when normal auth fails.
● Critical Risk
SSH Keys
Cryptographic keys granting shell access to Linux, Unix, and network devices.
● Medium–High Risk
API Tokens
Bearer tokens and keys enabling machine-to-machine authentication.
● Medium–High Risk
Cloud IAM Roles
AWS, Azure, and GCP identity policies governing cloud resource access.
● Elevated Risk
Delinea
How Delinea Addresses the Full Landscape
01
Discover
Delinea's discovery engine scans your network, directories, and cloud environments to build a complete inventory of every privileged identity — known and shadow accounts alike.
02
Vault & Rotate
All credentials are securely vaulted with AES-256 encryption. Automated rotation enforces policy-based password cycles, eliminating stale or shared credentials.
03
Control & Audit
Just-in-time access, session recording, and real-time monitoring ensure zero-standing privilege while maintaining full audit trails for compliance and forensics.
Account Type 01
Domain Administrator Accounts
Domain administrator accounts hold the highest level of trust in a Windows environment. They have unrestricted access to all domain-joined systems, can create or modify any account, and control Group Policy across the entire forest.
⬤ Critical Risk
Risk Profile
Why Domain Admins are Primary Targets
- Unrestricted access to all domain-joined machines and data
- Ability to create accounts, modify Group Policy, and alter security settings
- Hash extraction via DCSync attacks grants offline credential cracking
- Pass-the-Hash and Pass-the-Ticket attacks allow lateral movement
- Kerberoasting targets service tickets tied to admin accounts
Common Misconfigurations
Where Organizations Go Wrong
- Using domain admin accounts for daily tasks or email
- Shared DA accounts with no individual accountability
- No separation between Tier 0 and lower-tier admin accounts
- Passwords unchanged for months or years
- Domain Admins logging into workstations (credential exposure)
Attack Scenarios
Real-World Exploitation Paths
- Golden Ticket attacks via KRBTGT account compromise
- Credential dumping from LSASS memory on any domain machine
- Adversary-in-the-middle attacks on admin sessions
- Social engineering targeting IT staff with DA access
- Ransomware operators deliberately acquire DA for max impact
Common Misconfiguration
Business Impact
No MFA on domain admin accounts
Single compromised password grants full domain control; no secondary verification barrier
Built-in Administrator account enabled and shared
No attribution for actions taken; attackers exploit default account with known SID S-1-5-21-...-500
DA accounts used interactively on workstations
Credentials cached in LSASS on every machine touched — extractable by Mimikatz
No tiered admin model (no PAW/jump server)
Admin traffic flows across lower-trust tiers, enabling lateral movement to Tier 0
Delinea
Delinea's Approach to Domain Administrator Accounts
01
Discovery & Inventory
Delinea Secret Server scans Active Directory to enumerate all accounts with Domain Admin rights, including nested group memberships that grant hidden DA privileges.
02
Vault & Rotation
DA passwords are vaulted and auto-rotated on a policy-defined schedule (e.g., every 24 hours). Checkout workflows with dual approval enforce accountability for every session.
03
Just-in-Time Access
Delinea's Privilege Manager removes standing DA rights. Access is provisioned on-demand with time-limited elevation, automatically revoked after the task window closes.
Account Type 02
Local Administrator Accounts
Every Windows machine has a built-in local administrator account. When the same password is shared across thousands of endpoints, a single breach becomes an enterprise-wide lateral movement highway.
⬤ High Risk
Risk Profile
The Lateral Movement Enabler
- Same local admin password across fleet enables one-to-many compromise
- Local admin rights allow credential harvesting via LSASS
- Pass-the-Hash attacks exploit reused NTLM hashes across machines
- Attackers use local admin to install backdoors and persist
- Often neglected in patch cycles and rotation policies
Common Misconfigurations
Endpoint Admin Pitfalls
- Identical local admin passwords deployed via imaging tools
- Built-in Administrator account (RID 500) never renamed or disabled
- End users with full local admin rights for "convenience"
- No monitoring of local admin group membership changes
- Remote management tools (RDP, WinRM) always enabled with admin
Scale of Exposure
Why This Multiplies Risk
- An enterprise with 10,000 endpoints may have 10,000 identical attack paths
- Shared hashes enable automated lateral movement at scale
- Difficult to detect without dedicated endpoint telemetry
- Compliance frameworks (PCI DSS, HIPAA, CIS) explicitly require unique credentials
- Remote work expansion has multiplied unmanaged endpoint attack surface
Delinea Tip: Microsoft's LAPS (Local Administrator Password Solution) is a step in the right direction, but it lacks centralized auditing, session recording, and approval workflows. Delinea extends LAPS with enterprise-grade governance.
Common Misconfiguration
Business Impact
Shared local admin password across all endpoints
Compromise of one endpoint grants admin access to every device in the fleet
Users running as local administrators daily
Malware executes with admin rights; no privilege barrier to system-level access
No logging of local admin account usage
Attacker lateral movement goes undetected; no forensic trail for incident response
Delinea
Delinea's Approach to Local Administrator Accounts
01
Endpoint Discovery
Delinea Privilege Manager deploys lightweight agents that discover all local administrator accounts and shadow admins across every endpoint in the estate.
02
Unique Password Per Machine
Automated rotation generates cryptographically unique passwords for each endpoint on a defined schedule, eliminating the shared-password lateral movement vector entirely.
03
Least Privilege Enforcement
Application elevation policies allow users to run specific approved applications with elevated rights without granting blanket local admin — removing standing privilege from workstations.
Account Type 03
Service Accounts
Service accounts are non-interactive accounts used by Windows services, scheduled tasks, and background processes. Because they rarely have human oversight, they are frequently over-privileged, under-rotated, and invisible to security teams.
⬤ High Risk
Risk Profile
The Silent Privileged Identity
- Passwords set to "never expire" to avoid service disruptions
- Often granted Domain Admin rights "just in case"
- No human monitoring suspicious behavior patterns
- Credentials frequently embedded in scripts or config files
- Shadow IT services create undiscovered accounts outside IT governance
Common Misconfigurations
Service Account Failures
- Overprovisioning: services running as Domain Admin
- Password never rotated due to fear of breaking dependencies
- Same account used by multiple unrelated services
- Interactive logon allowed (enabling human use of service account)
- No documentation of what systems depend on the account
Discovery Challenges
Why They're Hard to Find
- Created by application installers without IT knowledge
- Developers create service accounts that persist long after projects end
- Hundreds of accounts accumulated over years across AD
- Group Managed Service Accounts (gMSA) often misconfigured
- Cloud-synced accounts create hybrid blind spots
Common Misconfiguration
Business Impact
Service account has Domain Admin membership
Compromising one service grants full domain takeover capability
Password set to never expire, never rotated
Breached credentials remain valid indefinitely; attacker maintains persistent access
Password stored in plaintext scripts or config files
Any developer or file-share user with read access can extract credentials
Multiple services share one account
Rotating the password breaks all dependent services simultaneously; rotation avoided
Delinea
Delinea's Approach to Service Accounts
01
Automated Discovery
Delinea scans Active Directory and connected systems to identify all service accounts, map their dependencies, and flag those with excessive privileges or stale passwords.
02
Dependency-Aware Rotation
Secret Server's automated rotation updates service account passwords AND simultaneously propagates the new credential to all dependent Windows services, scheduled tasks, and IIS app pools — eliminating the "can't rotate" problem.
03
Least Privilege Right-Sizing
Reports identify over-privileged service accounts. Delinea provides remediation workflows to right-size permissions and migrate to gMSA where applicable.
Account Type 04
Application Accounts
Application accounts are credentials hardcoded or embedded within software to authenticate to databases, APIs, and backend systems. They represent one of the most pervasive and difficult-to-remediate privileged identity problems in modern IT.
⬤ High Risk
Risk Profile
The Hardcoded Credential Crisis
- Credentials embedded in source code, config files, or binaries
- Checked into version control repositories (GitHub, GitLab, Bitbucket)
- Accessible to any developer with repository access
- Frequently with broad database or API permissions
- Changing them requires code deployment — so they never change
Common Misconfigurations
Developer Security Anti-Patterns
- Connection strings with plaintext credentials in web.config or .env files
- Database accounts with DBA rights when read-only would suffice
- Generic shared application accounts with no per-service isolation
- Same credentials in dev, staging, and production environments
- API keys committed to public or semi-public repositories
Exposure Vectors
How App Credentials Leak
- Code repository exposure (intentional or accidental public repo)
- Log files capturing connection strings during errors
- Memory dumps and heap snapshots exposing in-memory credentials
- Container images published with embedded credentials
- Build artifact repositories containing plaintext secrets
Key Principle: Applications should never store credentials — they should request them. Delinea's Secret Server SDK and REST API allow applications to retrieve credentials at runtime from the vault, eliminating hardcoded secrets entirely.
Delinea
Delinea's Approach to Application Accounts
01
Secret Server SDK Integration
Applications use the Delinea SDK (.NET, Java, Python, PowerShell) or REST API to retrieve credentials at runtime. The application never stores the password — it fetches it from the vault on demand.
02
Scanning for Hardcoded Secrets
Delinea's discovery capabilities integrate with DevSecOps pipelines to scan repositories and build artifacts for hardcoded credentials, flagging them before deployment.
03
Dynamic Credential Provisioning
For supported databases, Delinea can provision ephemeral, just-in-time database credentials with TTLs as short as a single session — meaning there are no long-lived app credentials to steal.
Account Type 05
Emergency Break-Glass Accounts
Break-glass accounts are highly privileged emergency accounts that exist outside normal IAM workflows. They're designed for crisis scenarios — but their exceptional power and loose governance make them prime attack targets.
⬤ Critical Risk
Risk Profile
High Power, Low Oversight
- Designed to bypass normal MFA and conditional access policies
- Often stored on paper or in a physical safe — no digital audit trail
- Infrequently used means compromise may go undetected for months
- Typically granted the highest possible system permissions
- Cloud break-glass accounts (Global Admin) can affect entire tenants
Common Misconfigurations
Emergency Account Pitfalls
- Password written on physical paper with poor physical security
- Same break-glass password for years without rotation
- No alerting when break-glass accounts are used
- Unclear criteria for when break-glass access is justified
- Insufficient personnel awareness — lost credentials in emergencies
Compliance Requirements
Regulatory Expectations
- NIST SP 800-53 requires monitoring and auditing of emergency accounts
- ISO 27001 demands documented emergency access procedures
- SOC 2 auditors scrutinize evidence of break-glass account governance
- PCI DSS requires immediate password change after break-glass use
- Azure AD / Entra ID best practices mandate ≥2 cloud break-glass accounts
Paradox Alert: Break-glass accounts must be accessible when your primary IAM system fails — but also must be tightly controlled. Delinea solves this with offline vault access capabilities and mandatory post-use rotation.
Delinea
Delinea's Approach to Break-Glass Accounts
01
Dual-Control Vaulting
Break-glass credentials are vaulted with dual-approval requirements — two authorized administrators must approve access before credentials are revealed, ensuring no single person can access unilaterally.
02
Immediate Use Alerting
Any break-glass checkout triggers real-time alerts to the CISO, SOC team, and designated stakeholders via email, SMS, and SIEM — ensuring the act of emergency access is always visible.
03
Mandatory Post-Use Rotation
Delinea automatically rotates break-glass credentials immediately after check-in. Session recording captures all activity, and a full audit report is generated for compliance review.
Account Type 06
SSH Keys
SSH keys provide cryptographic authentication to Linux, Unix, and network infrastructure. Unlike passwords, they are rarely included in rotation policies — creating massive, invisible inventories of persistent privileged access.
⬤ Medium–High Risk
Risk Profile
The Forgotten Credential Type
- Private keys stored on developer workstations without passphrase protection
- Authorized_keys files accumulate over years — "orphan" keys grant persistent access
- Keys created for temporary access (contractors, projects) never removed
- Compromised developer laptop exposes keys to all associated servers
- No built-in expiration mechanism in SSH itself
Common Misconfigurations
SSH Key Management Failures
- Wildcard authorized_keys entries granting access from any key
- Root login over SSH enabled (PermitRootLogin yes)
- Keys shared across multiple team members ("team key")
- Private keys checked into source code repositories
- No inventory of which keys authorize access to which servers
Infrastructure Scope
Where SSH Keys Live
- Linux servers (physical, virtual, and cloud)
- Network appliances (switches, firewalls, routers)
- CI/CD pipelines and build systems
- IoT and industrial control systems
- Automated backup and replication systems
Common Misconfiguration
Business Impact
Private key stored without passphrase protection
Theft of the key file immediately grants server access — no brute forcing required
Orphan keys from former employees still active
Terminated staff or contractors retain access to production systems indefinitely
Root SSH login enabled
A compromised key grants immediate root — no privilege escalation step required
Delinea
Delinea's Approach to SSH Key Management
01
SSH Key Discovery
Delinea scans Linux and Unix infrastructure to enumerate all public keys in authorized_keys files, mapping which key pair authorizes access to which account on which server.
02
Centralized Key Vaulting
SSH key pairs are imported into Secret Server. Users check out keys for sessions rather than holding permanent private key files — the key is never written to disk on the user's machine.
03
Automated Key Rotation
Delinea generates new key pairs on a rotation schedule, automatically updating the authorized_keys file on target servers and archiving the old keys — eliminating the orphan key problem.
Account Type 07
API Tokens & Keys
API tokens and keys are bearer credentials that authorize machine-to-machine communication. Their power lies in their simplicity — which is also their greatest security weakness. A token in the wrong hands provides immediate, often broad access.
⬤ Medium–High Risk
Risk Profile
Bearer Tokens: Possession = Access
- No identity verification — whoever holds the token gets the access
- Often long-lived or non-expiring by default
- Broad scopes granted "just to make it work"
- Frequently leaked via logs, error messages, or repository commits
- Third-party services (SaaS, vendors) accumulate tokens over time
Common Misconfigurations
Token Security Failures
- Admin-scoped API keys used where read-only would suffice
- Tokens with no expiration date set during creation
- API keys committed to public GitHub repositories
- Same token shared across multiple services or teams
- No token rotation workflow — fear of breaking integrations
Common Token Types
The Ecosystem of Tokens
- REST API keys (Salesforce, ServiceNow, Okta, Slack)
- OAuth 2.0 client secrets and refresh tokens
- Personal Access Tokens (GitHub, Azure DevOps, GitLab)
- Database connection tokens (MongoDB Atlas, Snowflake)
- Webhook secrets and HMAC signing keys
GitHub Secret Scanning: GitHub reports detecting millions of leaked secrets in public repositories annually. Even briefly exposed tokens must be treated as compromised, as automated scanners harvest them within seconds of exposure.
Delinea
Delinea's Approach to API Tokens
01
Token Inventory & Vaulting
API tokens and keys across SaaS platforms, internal services, and development tools are inventoried and vaulted in Secret Server with full metadata: owner, scope, expiration date, and associated systems.
02
Expiration Monitoring & Alerts
Delinea tracks expiration dates and sends automated alerts before tokens expire, preventing service disruptions while enforcing rotation. Expired tokens trigger immediate rotation workflows.
03
Programmatic Token Retrieval
Applications and pipelines retrieve tokens via the Delinea API at runtime rather than storing them. This ensures tokens are never at rest in configuration files, scripts, or CI/CD environment variables.
Account Type 08
Cloud IAM Roles
Cloud IAM roles in AWS, Azure, and GCP control access to cloud-native resources at massive scale. Unlike traditional accounts, they are often assumed by services, workloads, and external identities — creating a sprawling, dynamic attack surface.
⬤ Elevated Risk
Risk Profile
Cloud Privilege: Scale & Speed
- A single misconfigured role can expose entire S3 buckets or Azure subscriptions
- Roles assumed by Lambda functions, EC2 instances, or Kubernetes pods
- Privilege escalation via IAM PassRole, CreatePolicy, and AssumeRole chains
- Shadow roles created by developers outside cloud governance processes
- Cross-account trust relationships creating indirect access paths
Common Misconfigurations
Cloud IAM Anti-Patterns
- AdministratorAccess policy attached to service roles (wildcard: *:*)
- IAM users with long-lived access keys instead of role-based access
- No SCPs (Service Control Policies) limiting blast radius
- Public S3 bucket + overpermissioned role = data exfiltration path
- Root account used for routine operations without MFA
Multi-Cloud Complexity
Governance Across Clouds
- AWS IAM roles vs. Azure RBAC vs. GCP IAM — three different models
- Federated identity (SAML, OIDC) creates additional trust chains
- Workload Identity Federation blurs the human/machine identity boundary
- Kubernetes RBAC adds another layer within cloud-hosted clusters
- No unified visibility without a CIEM or PAM solution
Common Misconfiguration
Business Impact
IAM access keys never rotated (>90 days old)
Leaked keys remain valid indefinitely; common source of cloud account breaches
No MFA on AWS root account
Single credential compromise grants unrestricted access to every AWS resource
Wildcard (*:*) permissions on role policies
A compromised role can access, modify, or delete any resource in the account
No CloudTrail or equivalent audit logging
Malicious activity by IAM identities goes undetected with no forensic trail
Delinea
Delinea's Approach to Cloud IAM Roles
01
Cloud Account Discovery
Delinea connects to AWS, Azure, and GCP to discover all IAM users, roles, service principals, and access keys. It maps cross-account trust relationships and identifies overpermissioned identities.
02
Access Key Vaulting & Rotation
Long-lived IAM access keys are vaulted and auto-rotated. Cloud console access for human administrators is brokered through Delinea, eliminating direct credential exposure and enabling session recording.
03
JIT Cloud Privilege
Cloud role assumptions are granted on a just-in-time basis through Delinea workflows. Developers and admins request elevated cloud access, receive time-bounded role assignments, and are automatically deprovisioned.