Privileged Access Management for SMBs

If attackers get regular user credentials, they can access that user’s data.

If attackers get admin credentials, they can access everything. Create backdoors. Disable security. Exfiltrate all your data. Deploy ransomware.

That’s why privileged access management matters. Here’s how to do it without enterprise budgets.

What’s Privileged Access

Examples of privileged accounts:

  • Domain administrator
  • Azure/Entra ID Global Administrator
  • Local administrator on workstations
  • Database administrator
  • Application administrator
  • Root access on servers
  • Firewall/network device admins

These accounts can make sweeping changes. They’re the primary target for attackers.

The Essential Eight connection: “Restrict Administrative Privileges” is one of the eight controls. The ACSC recognises this is fundamental to security.

Why SMBs Get This Wrong

Common problems I see:

Everyone’s an admin: IT made everyone local admin on their workstations because it was easier than dealing with access requests.

Shared admin accounts: One “admin” password that everyone knows. No accountability.

Always-on privileges: IT staff use admin accounts for daily work. Email, browsing, everything - all with elevated privileges.

No inventory: Nobody actually knows how many admin accounts exist or who has access.

Legacy accounts: Former employees, consultants from years ago, service accounts nobody remembers - still active with admin rights.

Any of these sound familiar?

The Basic Principles

Principle of least privilege: People should have only the access they need for their role. Nothing more.

Separation of duties: Admin accounts should be separate from daily accounts. Admin activities should require deliberate elevation.

Time-limited access: Privileges should be granted when needed and removed when not. Not “set and forget.”

Accountability: Every admin action should be traceable to an individual. No shared accounts.

Monitoring: Privileged activity should be logged and reviewed.

Step 1: Know What You Have

Before you can manage privileged access, you need to know what exists.

Inventory exercise:

  1. List all systems that have admin accounts
  2. For each system, identify who has admin access
  3. Identify any shared admin accounts
  4. Identify service accounts with elevated privileges
  5. Check for accounts that shouldn’t exist (former staff, old projects)

What you’ll typically find:

  • More admin accounts than expected
  • Some accounts nobody recognises
  • Shared accounts with poor password practices
  • Former employees still with access

This discovery phase is essential. You can’t manage what you don’t know about.

Step 2: Clean Up

Remove unnecessary access:

  • Revoke admin rights from former employees immediately
  • Remove unnecessary local admin rights from users
  • Disable or delete unused admin accounts
  • Document service accounts and their purpose

Separate admin and daily accounts:

IT staff should have:

  • A standard user account for email, browsing, daily work
  • A separate admin account used only for administrative tasks

This is table stakes. If your IT people are browsing the web and checking email with domain admin credentials, that’s a significant risk.

Step 3: Implement Controls

For Microsoft environments:

Local Administrator Password Solution (LAPS): Free tool from Microsoft. Provides unique, regularly rotated passwords for local admin accounts on each workstation. Essential and often overlooked.

Entra ID Privileged Identity Management (PIM): If you have Entra ID P2 licensing, PIM provides just-in-time admin access. Admins don’t have permanent privileges - they request elevation when needed, for limited time.

Conditional Access for admins: Require additional verification for admin account access. Block access from unknown devices or locations.

For general use:

Password managers: Admin credentials should be stored in a password manager (1Password, Bitwarden, Keeper), not shared spreadsheets or memory.

MFA everywhere: All admin accounts should require MFA. Phishing-resistant MFA (FIDO2 keys, passkeys) for the most privileged.

Session time limits: Admin sessions should time out. Don’t leave an admin session open all day.

Step 4: Monitor and Review

Logging: Ensure admin activities are logged. Azure/Entra audit logs. Windows event logs. Application logs.

Alerting: Alert on suspicious admin activity:

  • Admin logins from unusual locations
  • After-hours admin activity
  • New admin accounts created
  • Security settings changed

Regular review: Quarterly review of who has admin access. Does everyone on the list still need it?

Practical Implementation for SMBs

Week 1: Discovery

  • List all admin accounts across systems
  • Identify shared or unknown accounts
  • Document current state

Week 2: Quick wins

  • Remove access for former employees
  • Implement LAPS if using Windows
  • Enable MFA on all admin accounts

Week 3: Separation

  • Create separate admin accounts for IT staff
  • Begin using standard accounts for daily work
  • Document the policy

Week 4: Monitoring

  • Enable admin activity logging
  • Set up basic alerts for suspicious activity
  • Schedule quarterly access reviews

The Just-in-Time Ideal

The gold standard for privileged access is just-in-time (JIT):

How JIT works:

  1. Admin needs to perform a privileged task
  2. Admin requests elevation through a system
  3. Request is approved (automatically or by a person)
  4. Admin gets elevated access for limited time
  5. Access automatically revokes after time expires

Benefits:

  • Privileges aren’t always active
  • Creates an audit trail of access requests
  • Forces deliberate action rather than habit
  • Limits damage from compromised credentials

How to implement:

  • Microsoft Entra PIM (requires P2 licensing)
  • CyberArk, BeyondTrust, Delinea (enterprise PAM tools)
  • Some RMM tools offer similar capabilities

For many SMBs, full JIT isn’t practical yet. But understanding the concept helps you work toward it.

Service Accounts

Service accounts - used by applications rather than people - need special attention.

Risks:

  • Often have high privileges
  • Rarely have passwords changed
  • Don’t have associated people for accountability
  • Forgotten but still active

Best practices:

  • Document all service accounts and their purpose
  • Use unique, strong passwords (managed in a password vault)
  • Apply principle of least privilege (only the access needed)
  • Review regularly for necessity
  • Consider managed service accounts or group managed service accounts in Windows

What Not to Do

Don’t:

  • Share admin passwords via email or chat
  • Store admin passwords in unencrypted files
  • Use the same password for multiple admin accounts
  • Give admin rights to “just get things working”
  • Forget to revoke access when people leave
  • Leave default admin passwords unchanged
  • Skip MFA on admin accounts to save time

Each of these creates risk.

Working with IT Providers

If you use a managed service provider, privileged access management needs to be part of the conversation.

Questions to ask:

  • How are your engineer admin accounts managed?
  • Do engineers use unique accounts or shared credentials?
  • Is access logged and reviewable?
  • How quickly is access revoked when someone leaves your company?
  • What MFA is required for accessing our systems?

Your provider’s privileged access management affects your security.

The Insurance Connection

Cyber insurers are asking about privileged access:

Common questions:

  • Do you use MFA on all admin accounts?
  • Are admin privileges separated from daily accounts?
  • How are admin passwords managed?
  • Do you conduct regular access reviews?

Good answers help with premiums and claims. Poor practices may affect coverage.

Getting Help

Privileged access management is an area where working with AI consultants Melbourne or similar specialists can accelerate progress.

They can:

  • Conduct privileged access discovery
  • Design appropriate controls for your size
  • Implement technical solutions (LAPS, PIM, PAM)
  • Establish review and monitoring processes

The combination of proper tooling and good processes is more effective than either alone.

Metrics to Track

Inventory metrics:

  • Number of admin accounts
  • Number of accounts per person with admin access
  • Number of shared admin accounts

Process metrics:

  • Time to revoke access for departing staff
  • Frequency of access reviews
  • Number of admin accounts without MFA

Improvement over time: Track these monthly. Numbers should improve as you implement controls.

Common Excuses (and Responses)

“We’re too small to worry about this.” Attackers specifically target small businesses because of weaker controls. Size doesn’t reduce risk.

“It’s too inconvenient.” Separating admin and daily accounts adds some inconvenience. Less inconvenient than recovering from a breach.

“We trust our people.” This isn’t about trust. It’s about protecting your people from compromise. Their credentials can be stolen regardless of their trustworthiness.

“We don’t have the tools.” LAPS is free. MFA is included in most plans. Separation requires no tools, just process.

Final Thought

Privileged access is the most valuable target in your environment. Protecting it is one of the highest-impact security investments you can make.

Start with discovery. Implement separation. Add controls incrementally. Review regularly.

Working with specialists like Team400 can help design and implement PAM approaches appropriate for your size. But even basic steps - MFA on admin accounts, separation from daily accounts, removal of unnecessary access - significantly reduce risk.

The attackers are after admin credentials. Don’t make it easy.