1) Admin Account Management: Fully Managed Clients
When it comes to handling IT environments of fully managed clients, the MSP/IT Service Provider takes care of setting up the entire network, putting up the firewalls, implementing software services, placing access restrictions to resources and so on.
Continuous management of these services requires MSP technicians to regularly log in to systems and servers on the client/customer network. To do this, admin accounts are shared within the MSP organization. The MSP organization is ultimately responsible for maintaining all accounts that allow access to client systems and servers.
This involves managing the global admin, domain admin (Azure/AD), server root, local admin password, and other mission-critical access credentials.
Besides these accounts, there are M365 accounts, Google logins and MFA management to be taken care of. While the Microsoft partner center offers a way for MSPs to have an overview of client users, it does not have major security options for managing the passwords of these logins.
Break-glass scenarios where clients need access
In rare occasions when client IT personnel need administrative access to one of their resources – a secondary admin account is shared to the IT admin of the organization by the MSP with restricted access.
2) Admin Account Management: Co-Managed Clients
In co-managed setups, MSPs are forced to share the credentials of privileged accounts to users on the client side. Client-side access might be required by C-suite employees or the IT users of the client. With the MSP and client organizations using different software and having different environments – passwords are often shared in an insecure manner via email, chat or sent as excel files.
This distribution and insecure method of sharing admin account credentials introduces the risk of unauthorized access. Centralizing admin accounts and sharing credentials via encrypted channels reduces the risk of attacks.
Untangling the complexities associated with client access permissions
In general, MSPs make use of a single domain admin account for managing the domain – Group Policy Objects (GPOs) and Operational Units (OUs). The MSP account(s) are delegated to allow user administration without being in the “Domain Admin” group.
However, having standing access to a domain admin account allows a compromised account to create a GPO, apply it, and attack every computer object within the 90-minute GPO refresh period.
At smaller MSPs, where each technician has their own login, this setup works effectively. However, as an MSP grows and manages over 100 clients, maintaining individual logins for each technician becomes highly impractical.
Centralize Admin Accounts and Manage them with PAM
Privileged Access Mangement (PAM) helps centralize distributed client admin accounts and provides on-demand elevated access to users and technicians who need them.
PAM solutions help discover and then centrally manage local accounts, domain admin accounts, service accounts, Windows dependencies, IIS app pools, and all other privileged accounts.
These accounts and their passwords (logins) are securely stored in the encrypted PAM repository - which your MSP administrators, engineers, technicians, and client end users can access.
How MSPs can manage client admin accounts with Privileged Access Management (PAM) software? (5 steps)
- Consolidate All Client Admin Accounts: PAM locates all the administrative accounts spread across domains (AD/LDAP), forests, standalone machines/servers (Windows, Mac, and Linux) and Entra ID (Azure) tenants. This is done by establishing connectivity with systems on the client infrastructure. This gives full visibility of all the privileged admin accounts across the infrastructure.
- Randomize Passwords of Admin Accounts : Once the admin accounts are collectively available from all client organizations, PAM solutions can generate and assign strong complex passwords to these accounts. To change and update the account credentials frequently, a periodic password rotation schedule can be configured.
- Onboard MSP/Client Users: All technicians and client end users who require access to privileged accounts can be directly added to the PAM solution through a quick import workflow. Users on AD/Azure/ AWS /Google Directories, are automatically onboarded into the PAM solution.
- Provision Access to PAM Server: Onboarded users are then given a way to authenticate and access the PAM solution. Authentication can be facilitated either through SSO (AD/Azure AD/Google) or with a native set of login credentials.
- Securely Share MSP Admin Accounts: Privileged admin accounts such as the domain administrator account can be shared securely with technicians/end-users who need them. Approval workflows can be configured so that techs get access only after approval from one or more administrators. The admin account can also be shared with Just-in-Time (JIT) privileges, where admin access ends after a particular time period.
Once shared, technicians/client end-users will then log into PAM and only access the accounts that are relevant to them. Technicians can also launch secure remote RDP, SSH,SQL connections to machines without seeing the underlying passwords of the accounts that are shared with them.
(FAQs) Frequently Asked Questions about Administrative Accounts of Managed Customers
A) How to Enforce MFA for Client Admin Accounts?
MSPs that want to control privileged access to client admin accounts, can store them in PAM and then add an additional layer of authentication by integrating with Duo, RADIUS, Google Authenticator, Microsoft Authenticator or other 2FA solutions. This introduces an additional layer of security for client administrator accounts and prevents misuse even if it lands in the wrong hands.
B) How to Support Client Compliance with Audits (SOX, HIPAA, URAC etc.)?
Clients who comply with regulations by the government also require MSPs to follow these mandates. When it comes to sharing domain accounts, detailed logs of activity carried out using these accounts are needed for audits.
All privileged activity that is carried out through PAM is completely audited, engineers and users are held accountable. This helps pinpoint who was responsible for an outage, breach or other related issue.
Additionally, a wide range of reports can be fetched on all access related to a specific admin account. For example, say there is a highly privileged domain account – a report can be pulled that includes who were the users who used the account to connect to which devices and carry out what tasks. This is particularly useful in audits.
C) How to Revoke Admin Access When MSP Technicians Leave?
Compliance regulations require revoking all access granted to technicians when they leave the MSP organization. PAM software makes this process straightforward and easy. Once a user is denied access to the PAM solution, all the admin accounts shared with them are no longer accessible.
The accounts that were owned or accessible to the exiled user can be securely transferred to another. And as an additional safety measure – a report can be pulled on all the passwords shared with the user and they can all be changed if required.
