Managed Accounts Best practices

Question

What are the best practices for configuring managed accounts for non-privileged access?

For example, 200 developers who need access to multiple servers.

What is the recommended best practice in this scenario?

Specifically: Should each developer have an individual non-privileged domain account?

Is there a better approach for managing a large number of non-privileged users accessing multiple servers (e.g., using groups, role-based access, PAM, etc.)?

Very important: We do not want one developer’s session to be accessible or “stealable” by another developer.

Looking for guidance on how organizations typically handle this setup securely and efficiently.

Howard · Answer

Every organization will have its own requirements and process, we don’t have a best practice but there are some smart rules example. You can review the smart rules examples on granting access to assets, Link a Managed Account to a Managed System, Granting access, Granting access to Managed Systems.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019021

To ensure there’s no session hijacking for RDP session you can configure the access policies to prevent these from happening and limit the number of concurrent session.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017978