In response to the news around the Skeleton malware, which is capable of bypassing authentication on Active Directory (AD) systems that use single-factor (password-only) authentication, I have the following comments from Chris Stoneff, Director of Professional Services, Lieberman Software:
“Skeleton key malware shows the need for privileged access management and session recording technology.
When an IT administrator has physical access to the domain controllers with administrative privileges, there is no limit to what can be installed or run locally on the domain controller (DC), including taking direct copies of the domain for offline hacking.
By using a privileged access management solution to restrict admins to a remotely launched and controlled session where all actions performed during the session is recorded, the admin’s environment can be limited to only specific AD management tools and no local DC sessions, with full recording and auditing of the administrative actions performed.”