Most of our IT staff had full access to all of our production systems, using their 'user accounts.' In a security audit and penetration test, this was exploited by the testers to end up owning our Windows Domain and most of our production data base servers.
We've now removed everyone's 'user accounts' from Domain Administrator, DBA /Application Root Accounts and the like. Technical system administrators that need regular access to sensitive systems and data have a separate account for that purpose with a much stronger password and we audit all use of that account with some audit tools and a password vault tool from Cyber Ark.
Many of our application / DBA folks need a good deal less routine access to production systems. For those systems, we have removed ALL routine admin access and replaced that with select "firefighter accounts," which are more generic. These accounts are stored in the password vault and protected by a very strong password. There's a process for entering tickets, obtaining approval and documenting this in our ticketing system. The password vault also requires several levels of approval for highly sensitive items and it reinforces the ticketing by requiring input of basic ticket numbers and reasons before a password is released. After a password is released, it can be setup to automatically reset after a time and/or to reset after the requestor 'checks it back in'.
The password vault has also assumed control over embedded local administrator accounts on servers and PC systems, service accounts, database access and application accounts that used to be embedded in systems. These accounts were typically never watched closely and could NOT have passwords changed in the past without breaking lots of systems. As we have moved these accounts and passwords into control by the tool, we rotate them regularly without issue. Lastly, we now have a disaster recovery copy of them via a replication of this, too. As a result, our DR/BC plans are tighter as well.
One portal, many client databases: A privacy challenge