Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Delegating Privileges to Domain Controllers and Active Directory without the Security Risk

July 13, 2016

  • Blog
  • Archive

As security professionals, we know that granting IT admins access to the domain admins group is a risk, especially considering that Microsoft has made it ever-easier to manage Windows as a standard user. However, you’d be surprised at how often we run into that use case in the field.

Fortunately, there are native capabilities available in Windows Active Directory to help you delegate privileges without granting admin to DCs and AD. This blog explores some native Active Directory security steps to take advantage of, and what commercial options there are to help in your efforts.

Download 'How to Delegate Privileges to Safely Manage Domain Controllers and Active Directory' today.

7 Steps to Take to Improve Control Over Domain Admin Privileges in Active Directory

  1. Audit privileged AD groups. The first step is establishing which accounts have been added to the domain admins, enterprise admins or schema admins groups in AD.
  2. Isolate DCs. Utilize virtualization as much as possible to isolate DCs from other server roles and applications like Exchange.
  3. Use read-only DCs. These RODCs contact a writeable DC for user authentication and don’t store account credentials locally. This means that if a RODC were compromised, no changes can be made and replicated to other DCs in the domain.
  4. Use accounts specifically reserved for the purposes of DC support. Set up a process for issuing access to the domain admin account, which should be centrally stored and rotated on a regular basis.
  5. Consider PowerShell Just-Enough Administration (JEA). JEA allows organization to granularly restrict access to servers, limiting the cmdlets, modules and parameters that can be executed.
  6. Use Just-in-Time Administration (JIT) – Windows Server 2016. In this feature, shadow groups are created in a bastion forest and when access to a resource in AD is required, a secondary account for the user is added to the shadow group and removed after a given time.
  7. Utilize organizational units to group AD objects for management purposes. Since each OU can be managed by a different set of GPOs or delegated permissions, it’s possible to separate privileged AD accounts, service accounts, etc. so they can be managed with finer-grained password policies. The Delegation of Control Wizard in ADUC allows privileges to be assigned to an AD group for each OU. Restricted Groups can be used to define and enforce membership of built-in AD groups.

Simplifying the Enforcement of These Steps

BeyondTrust offers options to help you simplify the implementation and enforcement of these best practice steps.

Windows Delegation and Command Elevation

Focused around the concept of least privilege, a security model of providing users Just Enough Rights (JER) to perform the tasks and duties related to their roles, Privilege Management works by installing an agent on a Windows Server or client. Using a centralized console, rules are delivered, (to all or a subset of nodes) that control the permissions and privileges a process has, or prevent them altogether.

Shared Application Password Management

At times, true administrator (Local or Domain) access will be needed. Manually controlling which accounts have these rights, which users have the credentials for these accounts, and passwords for these accounts is highly prone to security and user error. Password Safe manages enterprise credentials by randomly generating and cycling them by schedule or upon release. Users are associated with access policies, determining under what situations they should be allowed a remote session to Windows, Unix/Linux or network devices. Remote sessions can be recorded, providing a full video playback with keystroke logging.

AD and Group Policy Change Auditing

BeyondTrust Auditor maintains a constant, real-time audit of activities within Active Directory. This includes monitoring permissions, changes to structure, even protections against unauthorized changes. A full audit report is provided along with the ability to roll back changes made at any point in time.

Want more best practice guidance on securing AD and Domain Controllers? Check out the complete white paper, written by myself and IT & Security Expert, Russell Smith.

Download 'How to Delegate Privileges to Safely Manage Domain Controllers and Active Directory' today.

Photograph of Jason Silva

Jason Silva, Sr. Solutions Engineer, BeyondTrust

Jason Silva brings over 25 years of solutions and management experience to the industry. Currently serving as Senior Solutions Engineer for BeyondTrusts' Universal Privilege Management Platform, he uses this knowledge to help customers realize the value of our solutions throughout the product lifecycle. Earlier in his career, he found success as a software developer in a global consulting company and spent over four years managing IT and Regulatory Compliance in the banking industry.

Specialties: Microsoft Active Directory, Microsoft Group Policy, Pre and Post Sales Training, Sales Engineering, Enterprise Security Tools, Privileged Access Management

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.