The October 2023 security breach at OKTA involved the theft of Service Accounts and compromised several systems and customers. This got me thinking about the approach to Windows discovery and the pushback we often encounter from security teams.
With BMC Discovery being an agentless technology, credential-based access is required to target systems in order to complete a full discovery scan. Traditionally for Windows-based operating systems, this has required admin-level privileges (in order to get complete discovery information) which, for simplicity of management, is met by deploying an admin-privileged service account.
With the latest release of BMC Discovery now supporting JEA (Just Enough Administration) we are going to explore why opting for Microsoft JEA is a safer approach compared to relying on traditional admin privileged service accounts.
Precision Control: Limit Access to What’s Needed
Microsoft JEA allows you to grant users just enough access to perform specific tasks, hence the name. Unlike admin privileged service accounts that often come with broad and potentially risky permissions, JEA enables precise control over what actions users can execute. This fine-tuned approach minimizes the attack surface and mitigates the risk of unintended system changes.
Reducing the Attack Vector: Security in Layers
Admin privileged service accounts, when compromised, can become a significant security vulnerability. Microsoft JEA, on the other hand, introduces a layered security model. By providing access only to essential functions, JEA minimizes the potential damage that could result from a compromised account. It’s a proactive measure that adds an extra layer of defense against potential security breaches.
Auditability: Know Who Did What, When
In the world of cybersecurity, accountability is key. Microsoft JEA shines in this aspect by offering detailed logging and auditing capabilities. Every action performed using JEA is logged, providing a comprehensive audit trail. This level of transparency ensures that administrators can track user activities effectively, helping in compliance adherence and quick identification of any suspicious behavior.
How to implement JEA with BMC Discovery
The use of JEA for Windows discovery is supported via Powershell credentials and the Active Directory Windows Proxy. For Powershell this must be configured on each target host with Powershell v5.0 or Windows Management Framework 5.
If you are still using Admin permissioned Service Accounts with BMC Discovery and would like to discuss migrating to a JEA model (or any other type of review of your system) then get in touch with us today.
About TekWurx
Tekwurx – a UK-based technology consulting company, has been assisting customers maximize their IT service and operations management tools since 2013. Their team of consultants supports customers and works within their partner and vendor ecosystems to deliver quality services to businesses of all sizes and sectors. Their flagship product, Tekwurx uControl, aggregates IT asset data from any source and defines the relationships between continuous integration (CI), deployment, and delivery—enabling customers to understand their current IT asset landscape.