This chapter covers Privileged Access Management (PAM), a critical security control for protecting high-risk accounts in any organization. PAM is a core component of the Security Operations domain (Objective 4.6) on the SY0-701 exam. Understanding PAM is essential because privileged accounts are the primary target for attackers seeking to escalate privileges, move laterally, and exfiltrate data. This chapter explains what PAM is, how it works, its key components (e.g., password vaulting, session management, just-in-time access), and how to implement it to meet exam objectives.
Jump to a section
Imagine a high-security office building where every employee has a badge that opens specific doors. Regular workers can access the break room, their cubicle, and the restroom. But the building also contains a server room, a finance vault, and a CEO's office. Only specific people—the IT manager, the CFO, and the CEO's assistant—have badges that can open those high-value doors. However, these privileged employees often leave their badges on their desks when they go to lunch. An attacker, posing as a janitor, could easily grab a privileged badge and access sensitive areas. To prevent this, the building implements a 'master key system' where privileged badges require a PIN and a fingerprint scan to activate. Additionally, the badges are designed to auto-lock after 10 minutes of inactivity, and any attempt to open a restricted door triggers a camera recording and alerts security. This parallels privileged access management (PAM): privileged accounts are like master keys. PAM solutions enforce just-in-time elevation, requiring multi-factor authentication and session recording, and automatically rotate passwords or revoke access after use. The attacker's goal is to steal or abuse these master keys, and PAM is the system that makes those keys harder to steal, easier to monitor, and less valuable over time.
What is Privileged Access Management (PAM)?
Privileged Access Management (PAM) is a set of security technologies and processes designed to control, monitor, and audit access to critical systems and data by users who have elevated permissions. These privileged accounts include local administrator accounts, domain admin accounts, service accounts, and application accounts that can bypass normal security controls. PAM addresses the principle of least privilege by ensuring that privileged access is granted only when needed, for a limited time, and with full accountability.
Why PAM is Critical
Privileged accounts are the 'keys to the kingdom.' If an attacker compromises a domain admin account, they can control the entire network. The 2024 Verizon Data Breach Investigations Report shows that 74% of breaches involve privilege abuse. Without PAM, organizations face: - Credential theft: Attackers use phishing, keyloggers, or pass-the-hash to steal privileged credentials. - Insider threats: Disgruntled employees can misuse their elevated access to steal data or sabotage systems. - Lateral movement: Attackers use compromised privileged accounts to move from one system to another. - Compliance failures: Regulations like PCI DSS, HIPAA, and SOX require strict access controls and audit trails.
How PAM Works Mechanically
PAM operates through several interlocking mechanisms:
Discovery and Inventory: PAM tools scan the network to find all privileged accounts, including local admin accounts, service accounts, and application accounts. For example, CyberArk’s Discovery tool can find accounts in Active Directory, local SAM databases, and Unix/Linux passwd files.
Password Vaulting: Privileged account passwords are stored in an encrypted vault. Users never know the actual password. Instead, they request access through a workflow. The vault generates a one-time password or retrieves the stored password temporarily. After use, the password is rotated (changed) automatically. This prevents credential theft because the password is never exposed to the user.
Session Management and Recording: When a user requests elevated access, the PAM tool can broker a session. The user connects through a jump host or proxy, and all keystrokes, commands, and screen output are recorded. This provides an audit trail for forensic analysis. For example, in a Windows environment, PAM can record an RDP session using Microsoft’s Remote Desktop Services with session recording enabled.
Just-in-Time (JIT) Access: Instead of granting permanent admin rights, PAM provides temporary elevation. A user requests access for a specific task, and the PAM tool grants a time-limited ticket. After the task, the elevation is revoked. This reduces the attack surface by eliminating standing privileges.
Policy Enforcement: PAM enforces policies such as requiring multi-factor authentication (MFA) before granting access, restricting access to specific IP addresses or times of day, and requiring approval from a manager.
Key Components and Variants
Privileged Account and Session Management (PASM): The core component that manages passwords and sessions. Example: CyberArk Privileged Access Security Solution.
Privileged Elevation and Delegation Management (PEDM): Controls what a privileged user can do after gaining access. For example, on Linux, sudo rules can be managed centrally via PAM tools like BeyondTrust PowerBroker.
Application-to-Application Password Management (AAPM): Manages passwords used by applications to authenticate to databases or other services. These are often hardcoded in scripts or config files; PAM rotates them without breaking workflows.
Cloud PAM: Extends PAM to cloud environments like AWS, Azure, and GCP. For example, AWS IAM roles can be used for JIT access, but PAM tools add session recording and approval workflows.
Standards and Protocols
RFC 7617: HTTP Basic Authentication (not for PAM, but relevant for legacy apps).
LDAP (Lightweight Directory Access Protocol, RFC 4511): Used to authenticate users against directories like Active Directory.
Kerberos (RFC 4120): Used in Windows domains for authentication. PAM tools can integrate with Kerberos to manage service tickets.
SAML and OAuth: Used for federated identity and token-based access in cloud PAM.
How Attackers Exploit Weak PAM
Pass-the-Hash (PtH): An attacker captures the NTLM hash of a privileged account from memory. Without PAM, that hash can be used to authenticate to other systems. PAM mitigates this by rotating passwords frequently and never exposing the hash to the user.
Golden Ticket Attack: Attacker forges a Kerberos ticket granting ticket (TGT) using the KRBTGT account hash. PAM can detect anomalous ticket requests and rotate the KRBTGT password periodically.
DCSync: Attacker uses a domain admin account to replicate Active Directory data and steal password hashes. PAM with session recording can capture the DCSync command (e.g., lsadump::dcsync in Mimikatz) and trigger an alert.
Privilege Escalation via Misconfigured sudo: On Linux, if sudo rules are too permissive, a user can run commands as root. PEDM can restrict sudo to specific commands and require approval.
Real Command/Tool Examples
- CyberArk CLI:
# Request a credential for account 'svc_backup'
CACli RequestCredential -AppID MyApp -Safe Backups -Account svc_backup- BeyondTrust PowerBroker (Linux):
# Run command with elevated privileges via policy
pbrun /usr/bin/passwd- AWS IAM Roles Anywhere:
// Create a role with temporary credentials
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/AdminRole"
}- Windows Local Administrator Password Solution (LAPS):
# Get local admin password for a computer
Get-ADComputer -Identity 'WS01' -Properties 'ms-Mcs-AdmPwd' | Select-Object -ExpandProperty 'ms-Mcs-AdmPwd'Summary of PAM Components
Vault: Encrypted database of credentials.
Session Manager: Proxies connections and records activity.
Policy Engine: Enforces access rules.
Audit Logs: Detailed records of who accessed what and when.
Implementing PAM is a critical step in achieving a zero-trust architecture. The SY0-701 exam expects you to know the purpose of PAM, the difference between PASM and PEDM, and how PAM prevents credential theft and privilege escalation.
Discover All Privileged Accounts
The first step in implementing PAM is to identify every privileged account in the environment. This includes domain admin accounts, local admin accounts on servers and workstations, service accounts, application accounts, and even SSH keys. Tools like CyberArk Discovery or Microsoft's Active Directory Administrative Center can scan for accounts with elevated privileges. For example, in Active Directory, you can use PowerShell to find all members of the Domain Admins group: `Get-ADGroupMember -Identity 'Domain Admins'`. The output lists all privileged accounts. This step is critical because you cannot protect what you do not know. A common mistake is to forget service accounts that are often hardcoded in scripts or configuration files. The discovery process should also identify dormant accounts that have not been used in 90 days, as these are prime targets for attackers.
Onboard Accounts into Vault
Once discovered, each privileged account's credentials are imported into the PAM vault. The vault is an encrypted repository that stores usernames, passwords, SSH keys, and certificates. During onboarding, the original password is changed to a complex, random password that only the vault knows. The account is then 'managed' by the vault, meaning the PAM system will automatically rotate the password on a schedule (e.g., every 30 days) or after each use. For example, with Microsoft LAPS, the local admin password for a Windows computer is stored in Active Directory as an attribute (`ms-Mcs-AdmPwd`) and is automatically rotated. The vault also stores metadata such as the account owner, the systems it can access, and the risk level. This step eliminates the problem of shared or static passwords.
Define Access Policies and Workflows
PAM administrators create policies that govern who can request access to each privileged account, under what conditions, and for how long. Policies include: requiring multi-factor authentication (MFA) for all requests, restricting access to specific IP addresses or times of day, and requiring manager approval for high-risk accounts. For example, a policy might state that only the IT team can request the domain admin account, and only between 8 AM and 6 PM on weekdays. The access workflow is automated: a user submits a request through a web portal, the policy engine checks the conditions, and if approval is needed, it sends a notification to the approver. Once approved, the user receives a temporary password or a session token. This step enforces the principle of least privilege and prevents unauthorized access.
Implement Just-in-Time (JIT) Access
JIT access ensures that privileged rights are granted only for the duration of a specific task. Instead of having standing admin rights, users must request elevation each time they need it. For example, in AWS, you can use IAM roles with a trust policy that allows users to assume the role for a limited time (e.g., 1 hour). In Windows, you can use Microsoft's Just Enough Administration (JEA) to restrict what cmdlets a user can run. The PAM tool integrates with the operating system or cloud provider to grant time-limited tickets. When the ticket expires, the elevation is automatically revoked. This step dramatically reduces the attack surface because even if an attacker compromises a user's credentials, they cannot gain persistent elevated access. A common implementation is to use Azure AD Privileged Identity Management (PIM) for cloud resources.
Monitor and Audit All Privileged Sessions
Every privileged session should be recorded and monitored in real time. The PAM tool acts as a proxy: the user connects to the session manager, which then initiates a connection to the target system. All keystrokes, commands, and screen output are logged. For example, in CyberArk, you can record RDP sessions and play them back later. The logs are sent to a SIEM system for analysis. Alerts can be triggered for suspicious behavior, such as running `mimikatz` or accessing sensitive files. After the session, the logs are stored for compliance audits. This step provides accountability and forensic evidence. A common mistake is to record sessions but never review the logs. Automated analysis using machine learning can detect anomalies, such as a user logging in at 3 AM from an unusual IP address.
Scenario 1: SOC Analyst Detecting a Pass-the-Hash Attack
A SOC analyst at a financial firm notices an alert from the PAM system: the domain admin account 'DA_jdoe' has been used to log in to 15 servers in 10 minutes from a single workstation. The analyst reviews the PAM session recording and sees that the user ran mimikatz to extract hashes. The analyst immediately revokes the session, forces a password rotation on the DA account, and initiates an incident response. The correct response is to isolate the compromised workstation, reset all privileged passwords, and investigate the scope. A common mistake is to assume the user must be the legitimate admin and not investigate further. The PAM tool's alerting and session recording were critical in detecting the attack early.
Scenario 2: Cloud Administrator Using Just-in-Time Access
A cloud engineer needs to modify a production database in AWS. Instead of having permanent admin rights, the engineer uses the company's PAM portal to request elevation. The request is approved by the team lead, and the PAM system grants a temporary IAM role with permissions to modify the database. The engineer connects via AWS Systems Manager Session Manager, and all commands are logged. After 30 minutes, the role is automatically revoked. The engineer completes the task without ever having standing privileges. A common mistake is to grant permanent IAM roles to developers, which increases the risk of accidental misconfiguration. The PAM solution ensures that even if the engineer's credentials are stolen, the attacker cannot gain persistent cloud access.
Scenario 3: Insider Threat in Healthcare
A hospital's IT administrator with domain admin rights copies patient records to a personal USB drive. The PAM system records the session, and the analyst sees the copy command to a removable drive. An alert is triggered because the action violates policy. The analyst reviews the recording and confirms the data exfiltration. The admin's access is immediately revoked, and the incident is reported to HR and law enforcement. A common mistake is to not have session recording enabled for all privileged accounts, relying only on logs. In this case, the recording provided definitive evidence. The PAM solution also prevented the admin from covering their tracks by deleting logs because the recording was stored in a separate, immutable vault.
What SY0-701 Tests on PAM
The SY0-701 exam objective 4.6 specifically asks you to 'Explain the importance of privileged access management.' You need to know:
The purpose of PAM: to protect privileged accounts from misuse, theft, and abuse.
Key components: password vaulting, session recording, just-in-time (JIT) access, and privilege elevation.
The difference between PASM (managing passwords and sessions) and PEDM (managing what users can do after elevation).
How PAM mitigates attacks like pass-the-hash, golden ticket, and DCSync.
Real-world tools: CyberArk, BeyondTrust, Microsoft LAPS, Azure AD PIM.
Common Wrong Answers and Why
'PAM is the same as IAM.' Wrong. IAM (Identity and Access Management) manages all user identities and access, while PAM specifically focuses on privileged accounts. Candidates often confuse the two because both deal with access control. Remember: IAM is broad, PAM is deep for high-risk accounts.
'PAM only applies to on-premises environments.' Wrong. Cloud environments also need PAM. AWS IAM roles, Azure PIM, and Google Cloud IAM are examples of cloud PAM. The exam may present a cloud scenario, and the correct answer will involve PAM concepts like JIT access.
'Password vaulting is the only feature of PAM.' Wrong. While vaulting is important, PAM also includes session recording, JIT access, and policy enforcement. Candidates often pick an answer that only mentions vaulting when the scenario requires session recording for audit.
'PAM eliminates the need for MFA.' Wrong. PAM often requires MFA as an additional layer. The exam may include a scenario where MFA is used in conjunction with PAM.
Terms and Values to Memorize
JIT (Just-in-Time): Temporary elevation of privileges.
PASM: Privileged Account and Session Management.
PEDM: Privileged Elevation and Delegation Management.
LAPS: Local Administrator Password Solution (Microsoft).
MFA: Multi-factor authentication, often required by PAM.
Session recording: Capturing all keystrokes and screen output.
Common Trick Questions
'Which of the following is the BEST defense against pass-the-hash attacks?' The correct answer is PAM with frequent password rotation and session recording, not just antivirus or firewalls.
'An organization wants to ensure that administrators only have elevated rights when performing specific tasks. Which PAM concept is this?' The answer is JIT access, not password vaulting.
Decision Rule for Scenario Questions
When you see a scenario about protecting administrator accounts, look for keywords: 'temporary elevation,' 'session recording,' 'password rotation,' or 'vault.' If the question asks about reducing standing privileges, the answer is JIT. If it asks about monitoring what admins do, the answer is session recording. If it asks about protecting passwords from theft, the answer is password vaulting. Eliminate any answer that mentions only one feature when the scenario requires multiple, and always choose PAM over general IAM for privileged accounts.
PAM protects privileged accounts (domain admin, local admin, service accounts) through password vaulting, session recording, and just-in-time (JIT) access.
The SY0-701 exam tests the difference between PASM (managing passwords/sessions) and PEDM (managing elevation/delegation).
PAM mitigates pass-the-hash, golden ticket, and DCSync attacks by rotating passwords and monitoring sessions.
Microsoft LAPS is a free tool that manages local administrator passwords on Windows computers.
JIT access eliminates standing privileges by granting temporary elevation for specific tasks.
Session recording provides an audit trail and is required for compliance with standards like PCI DSS.
Cloud PAM integrates with IAM roles in AWS, Azure PIM, and GCP IAM to manage privileged access in cloud environments.
These come up on the exam all the time. Here's how to tell them apart.
PASM (Privileged Account and Session Management)
Focuses on managing passwords and sessions for privileged accounts.
Stores credentials in a vault and rotates them.
Provides session recording and monitoring.
Example: CyberArk Vault with session recording.
Best for controlling who can use a privileged account.
PEDM (Privileged Elevation and Delegation Management)
Focuses on controlling what commands or actions a user can perform after elevation.
Does not necessarily manage passwords; instead, it uses policies to restrict privileges.
Often uses sudo or runas with command-level restrictions.
Example: BeyondTrust PowerBroker on Linux.
Best for restricting what an admin can do with elevated rights.
Mistake
PAM is only for large enterprises with dedicated security teams.
Correct
PAM is essential for organizations of all sizes. Small businesses can use built-in tools like Microsoft LAPS for local admin passwords or cloud-native PAM features in AWS IAM. The principle of least privilege applies everywhere.
Mistake
Password vaulting means users can never know the password.
Correct
In most PAM implementations, users are given a one-time password or a temporary password that is automatically rotated after use. However, some implementations allow users to check out a password for a limited time. The key is that the password is not static and is not known to the user long-term.
Mistake
PAM only protects human users, not service accounts.
Correct
PAM also manages service accounts, application accounts, and even SSH keys. Service accounts often have high privileges and are frequently targeted. PAM can rotate passwords for service accounts without breaking applications by using APIs that update the credentials in real time.
Mistake
Session recording is optional and not critical.
Correct
Session recording is a core component of PAM for audit and forensics. Without it, you cannot prove what an admin did during a session. Compliance frameworks like PCI DSS require session recording for all privileged access to cardholder data.
Mistake
Implementing PAM is a one-time project.
Correct
PAM requires ongoing maintenance: discovering new accounts, updating policies, reviewing session logs, and rotating passwords. It is a continuous process, not a one-time deployment. The exam may test your understanding that PAM is a lifecycle.
IAM (Identity and Access Management) manages all user identities and their access rights across the organization. PAM (Privileged Access Management) is a subset of IAM that specifically focuses on high-risk privileged accounts, such as domain admins and service accounts. While IAM handles everyday user access, PAM adds extra layers of security like password vaulting, session recording, and just-in-time elevation. For the exam, remember that PAM is for privileged accounts, IAM is for all accounts.
PAM prevents pass-the-hash attacks by rotating passwords frequently (often after each use) and by never exposing the actual password to the user. In a pass-the-hash attack, the attacker captures the NTLM hash of a privileged account from memory. With PAM, the password is changed so often that the captured hash becomes invalid quickly. Additionally, PAM session recording can detect the use of tools like Mimikatz that extract hashes, triggering an alert.
Just-in-time (JIT) access is a PAM concept where privileged rights are granted only for the duration of a specific task. Instead of having permanent admin rights, users must request elevation through a PAM portal. The elevation is time-limited and automatically revoked after the task is complete. JIT reduces the attack surface by eliminating standing privileges. For example, in Azure AD PIM, you can activate a role for one hour. The exam may ask you to identify JIT as the solution for reducing standing privileges.
No, PAM is also critical in cloud environments. Cloud providers offer native PAM features like AWS IAM roles with temporary credentials, Azure AD Privileged Identity Management (PIM), and Google Cloud IAM. Third-party PAM tools also support cloud. The exam may present a hybrid scenario where PAM is used across on-prem and cloud. Remember that PAM applies wherever privileged accounts exist.
Session recording in PAM captures all keystrokes, commands, and screen output during a privileged session. This provides an audit trail for forensic analysis and compliance. If an admin performs a malicious action, the recording can be reviewed as evidence. Session recording also acts as a deterrent. For the exam, know that session recording is a key feature of PASM and is required by regulations like PCI DSS.
PAM manages service accounts by storing their credentials in a vault and rotating them automatically. Service accounts often have high privileges and are used by applications to authenticate to databases or other services. PAM can update the credentials without breaking the application by using APIs or configuration management tools. For example, CyberArk can rotate a SQL Server service account password and update the SQL Server configuration accordingly.
PASM (Privileged Account and Session Management) focuses on managing the credentials and sessions of privileged accounts, including password vaulting and session recording. PEDM (Privileged Elevation and Delegation Management) focuses on controlling what commands or actions a user can perform after gaining elevated access. For example, PASM would manage the root password on a Linux server, while PEDM would restrict what commands the root user can run via sudo.
You've just covered Privileged Access Management — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?