The Buyer's Guide for Complete Privileged Access Management (PAM) is the most thorough tool for holistically assessing your privileged access security needs and mapping them to modern privilege management solutions.
Auditors often discover that domain administrator privileges are assigned to IT staff with abandon, and not strictly limited to the just-in-time (JIT) use on domain controllers (DCs) that Microsoft and security experts recommend. This is partly due to the default local group configuration on Windows clients, where domain administrators automatically become members of the local Administrators group when a device joins a domain, which in turn gives the local and remote access needed to support end users. In a similar vein, the same applies to domain member servers.
Check out this on-demand webinar on best practices for managing domain admin accounts to learn pro-tips to protect your organization from critical attacks.
The risks of using privileged domain accounts on devices that are not secured to the same level as DCs increases the chances that domain administrator credentials could be exposed. Windows caches credentials by default to authenticate users when a domain controller can’t be reached, including those of domain administrator accounts that have previously logged in to a device. As such, a compromised workstation or member server can also lead to stolen domain administrator credentials.
Additionally, running with local and domain administrator credentials can result in changes being made to critical systems accidentally, or by malicious processes running under the same account as the logged in user. Assigning domain administrator accounts to IT staff makes them a target, because hackers know that they can provide an entry point to not one, but multiple systems with the privileges needed to run exploits.
In this webinar on managing domain admin accounts, I’ll show you how clients and member servers can be configured so that IT staff can get the privileges and remote access required, without adding accounts to the Domain Admins group. I’ll also take a look at PowerShell JIT administration, and how access should be granted to DCs, so that the overall level of security can be improved without compromising usability.
