Hi everyone! I've just started as an Infrastructure Team Lead at a healthcare organization and I'm currently reviewing the vendor's remote access setup. Here's how it works:
1. There's a non-tier Active Directory (AD) account used to log into the SSL VPN via SAML.
2. This same account is then used to RDP into a Jump host (Bastion host).
3. After accessing the Jump host, the same account is logged into the PAM portal.
4. From the PAM portal, RDP/SSH sessions are initiated to target systems. However, the privileged accounts used here have unknown passwords to the user.
Here are my main concerns:
- The same credentials are reused across multiple security layers.
- If the non-tier AD account gets compromised, it poses a risk of lateral movement within the system.
- I'm unsure if this setup adheres to best practices.
I'm looking for your suggestions and advice. Thanks in advance!
4 Answers
Honestly, this setup looks more like a security risk than a design. If that AD account is compromised, it could give an attacker full access to your infrastructure, which will definitely raise flags during your next audit.
Is there any form of two-factor authentication in place for the VPN, like an RSA key or something similar? That could add a layer of security.
Yes, both VPN and PAM access are protected with multi-factor authentication.
This setup seems pretty typical for modern systems, but I think the key missing piece is multi-factor authentication for non-privileged accounts. It's good that elevated privileges have secured credentials, but MFA for everything would be a wise addition.
I’ve never come across the term "non-tier AD account" before. I’m guessing it refers to a standard account that doesn’t have heightened privileges, used mainly for basic functions and authentication. It's concerning to see such privilege linked back to a normal account, especially when access to PAM is involved. You might want to look into enabling Force Authentication if it’s using SAML, which would help mitigate risks from compromised initial login credentials.
I agree! It sounds like an unprivileged account.
I appreciate your feedback. Any other suggestions you might have?