When the value is Classic - local users authenticate as themselves, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. Recently, security researcher Jelle Ursem discovered a concerning data breach at Comodo, a cybersecurity company responsible for endpoint detection response. Possible values It is best practice, and one commonly enforced, to tie each identify and each account to a specific individual, with specific privileged access. Although PAM solves the challenge of shared accounts, they are expensive systems to implement, costing about $80 to $300 per machine. What can companies do to improve their security? Marketing Blog. On end-user computers, configure this policy setting to Guest only – local users authenticate as guest. Shared accounts also lack accountability. This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). For network servers, configure the Network access: Sharing and security model for local accounts setting to Classic – local users authenticate as themselves. Despite their convenience, shared accounts pose an immense security risk. Shared accounts (accounts where two or more people log in with the same user identification) do not provide adequate identification and authentication. Monitor sessions with full playback. When the value of this policy setting is Guest only - local users authenticate as Guest, any user who can access your device over the network does so with Guest user rights. Comodo used one account for its Microsoft cloud services, meaning that a single set of credentials was shared between multiple employees. The following table lists the actual and effective default values for this policy. With the Classic model, local accounts should be password protected. A software developer at Comodo with access to the shared account inadvertently uploaded the credentials to a public GitHub repository, exposing Comodo to third party actors. PCI DSS Requirements 8.1 and 8.5 refer to using unique accounts and not using shared accounts. Multi Factor Authentication (MFA) is the “new” standard in identity and access management and requires an Out Of Band (OOB) channel that can only be associated with a single user, making MFA a unique challenge for shared accounts. Your solution should record privileged sessions in real time via … Privilege Access Management (PAM) solutions lock shared credentials into a repository that can only be accessed by authenticated employee accounts. Over a million developers have joined DZone. Default values are also listed on the policy’s property page. Email accounts, for instance, can only be accessed by one set of credentials. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they do not have Write access to shared resources on that device. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. Then because of accountability, security encouraged to have individual accounts sharing roles. Join the DZone community and get the full member experience. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. This means that they will probably be unable to write to shared folders. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. NIST SP 800-53 also has sections on identification and use of shared accounts. The Comodo Breach and the Dangers of Shared Accounts, Scanner or Scammer: Analysis of CamScanner Vulnerability, Developer It is expensive, time-consuming, and exhausting to create separate accounts for each employee that needs to access a company’s shared resources. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Note:  This policy setting does not affect network logons that use domain accounts. This policy setting determines how network logons that use local accounts are authenticated. None. Once the credentials are used, they are changed or “reset” for the next employee. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. Sometimes the particular online tool leaves no other option. Storing the resources in one shared account provides a quick and easy  —  albeit unsafe — solution. Describes the best practices, location, values, policy management and security considerations for the Network access: Sharing and security model for local accounts security policy setting. – HackneyB Mar 3 '19 at 0:52 Comodo is not unique  —  many enterprises use shared accounts. Permitting generic user accounts even with low privileges (as in read-only accounts) can still be problematic. If you configure this policy setting to Classic, network logons that use local account credentials authenticate with those credentials. Look for solutions that support session monitoring -- this way, there is accountability and visibility … This section describes features and tools that are available to help you manage this policy. Furthermore, shared credentials cannot be monitored; it is impossible to know how many current and former employees, family, or friends have access. When the value is Classic - local users authenticate as themselves, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. Although no customer certificate private keys were exposed, confidential sales documents, Comodo team data (including names, contact info, photos, and personal calendars), and customer contracts were available to the public. If you configure this policy setting to Guest only, network logons that use local accounts are automatically mapped to the Guest account. Comodo is a self-proclaimed “global leader in cybersecurity solutions,” yet their recent breach is indicative of extreme carelessness and oversight. Note: As an example, a shared account may be permitted for a help desk or a site security personnel machine, if that machine is stand-alone and has no access to the network. In order to protect their customers, businesses  — especially high-stakes cybersecurity companies like Comodo — need to approach their security more thoughtfully.