Overview
Privileged Account Discovery is the "Search and Rescue" mission of PAM. You cannot secure what you don't know about. Most organizations believe they have hundreds of admin accounts, but Discovery reveals they have thousands.
These accounts hide in:
- Local Groups: "Administrators" group on desktops/servers.
- Service Accounts: Running Windows Services or Scheduled Tasks.
- Hardcoded Scripts: Passwords embedded in PowerShell or Python.
- Cloud IAM: Shadow admins in AWS/Azure.
- DevOps Tools: Jenkins, Ansible, Kubernetes secrets.
Continuous discovery is essential because new servers and accounts are created daily.
Architecture
Reference Pattern: The Continuous Scanner
Discovery is not a one-time event. It is a loop: Scan -> Classify -> Onboard -> Monitor.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Scan Method | Authenticated, Unauthenticated, Passive | Authenticated | You need credentials to log into a server and check its local groups. Network sniffing (passive) misses too much. |
| Frequency | Weekly, Daily, Continuous | Continuous (or Daily) | In Cloud environments, assets spin up and down in minutes. Weekly scans are blind. |
| Scope | Windows Only, Full Stack | Full Stack | Don't ignore Linux, Databases, or Network Devices (Cisco/Juniper). |
| Action | Report Only, Auto-Onboard | Report + Manual Triage | Auto-onboarding can break things (e.g., rotating a service account password immediately). Triage first. |
| Shadow IT | Ignore, Block, Scan | Scan | Use Cloud APIs to find subscriptions/accounts you didn't know existed. |
Implementation
Phase 1: The Domain Scan
- Scan Active Directory for accounts with "Admin" privileges (check nested groups!).
- Identify Service Accounts (SPNs).
- Goal: Inventory the centralized keys.
Phase 2: The Endpoint Scan
- Scan all Servers and Workstations for local administrator accounts.
- Identify backdoor accounts created by vendors or malware.
- Goal: Clean up the "Local Admin" mess.
Phase 3: The DevOps & Cloud Scan
- Scan AWS/Azure/GCP for IAM Users and Roles with effective admin permissions.
- Scan GitHub/GitLab for hardcoded secrets.
- Goal: Secure the modern perimeter.
Risks
- Scanner Blocking: Firewalls or IPS may block the scanner, giving a false sense of "clean" results.
- Service Account Outages: Accidentally vaulting and rotating a service account discovered during a scan will crash the app.
- False Positives: Identifying a standard user as an admin because of a misconfigured group.
- Blind Spots: Non-domain joined machines or isolated networks that the scanner cannot reach.
KPIs
- Discovery Coverage: Percentage of the network/infrastructure address space successfully scanned.
- Unmanaged Account Rate: Number of privileged accounts found that are NOT managed by the PAM vault.
- Shadow Admin Detection: Number of accounts identified with "effective" admin rights (e.g., via nested groups) that were unknown.
- Service Account Inventory: Percentage of discovered service accounts mapped to a valid business owner.