As security professionals, we know that granting IT admins access to the domain admins group is a risk, especially considering that Microsoft has made it ever-easier to manage Windows as a standard user. However, you’d be surprised at how often we run into that use case in the field.
Fortunately, there are native capabilities available in Windows Active Directory to help you delegate privileges without granting admin to DCs and AD. This blog explores some native Active Directory security steps to take advantage of, and what commercial options there are to help in your efforts.
7 Steps to Take to Improve Control Over Domain Admin Privileges in Active Directory
- Audit privileged AD groups. The first step is establishing which accounts have been added to the domain admins, enterprise admins or schema admins groups in AD.
- Isolate DCs. Utilize virtualization as much as possible to isolate DCs from other server roles and applications like Exchange.
- Use read-only DCs. These RODCs contact a writeable DC for user authentication and don’t store account credentials locally. This means that if a RODC were compromised, no changes can be made and replicated to other DCs in the domain.
- Use accounts specifically reserved for the purposes of DC support. Set up a process for issuing access to the domain admin account, which should be centrally stored and rotated on a regular basis.
- Consider PowerShell Just-Enough Administration (JEA). JEA allows organization to granularly restrict access to servers, limiting the cmdlets, modules and parameters that can be executed.
- Use Just-in-Time Administration (JIT) – Windows Server 2016. In this feature, shadow groups are created in a bastion forest and when access to a resource in AD is required, a secondary account for the user is added to the shadow group and removed after a given time.
- Utilize organizational units to group AD objects for management purposes. Since each OU can be managed by a different set of GPOs or delegated permissions, it’s possible to separate privileged AD accounts, service accounts, etc. so they can be managed with finer-grained password policies. The Delegation of Control Wizard in ADUC allows privileges to be assigned to an AD group for each OU. Restricted Groups can be used to define and enforce membership of built-in AD groups.
Simplifying the Enforcement of These Steps
BeyondTrust offers options to help you simplify the implementation and enforcement of these best practice steps.
Windows Delegation and Command Elevation
Focused around the concept of least privilege, a security model of providing users Just Enough Rights (JER) to perform the tasks and duties related to their roles, Privilege Management works by installing an agent on a Windows Server or client. Using a centralized console, rules are delivered, (to all or a subset of nodes) that control the permissions and privileges a process has, or prevent them altogether.
Shared Application Password Management
At times, true administrator (Local or Domain) access will be needed. Manually controlling which accounts have these rights, which users have the credentials for these accounts, and passwords for these accounts is highly prone to security and user error. Password Safe manages enterprise credentials by randomly generating and cycling them by schedule or upon release. Users are associated with access policies, determining under what situations they should be allowed a remote session to Windows, Unix/Linux or network devices. Remote sessions can be recorded, providing a full video playback with keystroke logging.
AD and Group Policy Change Auditing
BeyondTrust Auditor maintains a constant, real-time audit of activities within Active Directory. This includes monitoring permissions, changes to structure, even protections against unauthorized changes. A full audit report is provided along with the ability to roll back changes made at any point in time.
Want more best practice guidance on securing AD and Domain Controllers? Check out the complete white paper, written by myself and IT & Security Expert, Russell Smith.