Many organizations provision domain administrator privileges to IT helpdesk and support staff to expedite management of Active Directory (AD), end-user devices, and servers. While domain admin rights are required to perform some high-level AD tasks, they are not needed for day-to-day management of domain-joined PCs, servers, or AD. The Domain Admins group is added to the local Administrators group on every domain-joined device, so one way to provide remote access for IT staff is to simply add accounts to the Domain Admins group.
But with domain admin privileges comes great responsibility. Domain admin rights grant complete access to the domain and, potentially, the ability to get access to any parent domains in the forest. They are the keys to your kingdom and anybody who has access to them can provide themselves, or inadvertently a hacker, the ability to wipe out all systems joined to the domain and gain access to confidential systems and data.
When users log in to devices with administrator privileges, it makes the hacker’s job easier and it can lead to pass-the-hash (PtH) attacks, where security tokens are used to log in as a user regardless of whether the hacker knows an account password. Cached credentials, access to the Security Accounts Manager (SAM) database, and unsanctioned changes all pose a risk—not only to individual devices, but also to all systems where administrator rights are used for everyday computing tasks.
3 Rules for Active Directory Administration
When planning how you will manage Windows and Active Directory, bear in mind these three rules:
- Isolate domain controllers so that they are not performing other tasks. Use virtual machines (VMs) where necessary. This makes it easier to remove domain admin rights from IT staff. If domain controllers (DCs) are only performing one function, it is less likely you will need to grant access for staff to maintain other applications or server roles.
- Delegate privileges using the Delegation of Control Wizard. IT staff that need access to AD for resetting passwords and performing everyday user and group management tasks can be delegated privileges to do just that—without any privileged access to the directory.
- Use the Remote Server Administration Tools (RSAT) or PowerShell to manage Active Directory. Interactive logins to domain controllers at the console or using Remote Desktop (RDP) should be avoided. When IT staff must access a DC using a privileged account, use a Privileged Access Workstation (PAW) that is secured to the same standard as your DCs. For example, DCs and PAWs in general should not have access to the Internet. Domain controllers can be patched using Windows Server Update Services (WSUS) and/or System Center Configuration Manager (SCCM); and DC event logs should be forwarded to a SIEM or a Windows member server. If regular access is needed for DCs to perform a specific function, consider using PowerShell Just Enough Administration (JEA) to grant access.
Local Accounts for Remote Support
If you have unique local administrator passwords set on each domain-joined device, you can enable remote network access for local accounts. Using unique passwords on each device blocks PtH attacks and prevents compromised domain accounts from accessing all servers and workstations. Microsoft’s Local Administrator Password Solution (LAPS) helps organizations set unique local administrator passwords and then securely store them in AD where they can be accessed and managed by approved staff. However for enterprise password management that extend beyond this simple use case, you will need to leverage third-party solutions, such as BeyondTrust Password Safe.
Domain Accounts for Remote Support
If you are not able to use local accounts, the alternative is to use domain accounts. Instead of adding accounts to the Domain Admins group, one option is to create a group for each domain-joined device, configure Group Policy Preferences to add the groups to the devices, and then add IT staff accounts to the new domain groups as needed. The process of creating groups can be automated using PowerShell.
While this isn’t as bulletproof as using unique local accounts on each device, creating domain groups is more secure than adding accounts to the Domain Admins group. You just need to watch out for token bloat if you add users to many groups.
Eliminate Use of Administrator Accounts
If you are currently using domain admin privileges for managing AD, servers, and end-user devices, devise a plan to remove that access and delegate control to protect Active Directory and other systems from attack or accidental changes. If you want to completely remove administrator rights, a third-party Privileged Access Management (PAM) solution, such as those provided by BeyondTrust, can help you completely and efficiently eliminate use of administrator accounts.
For a deeper dive on this topic, check out my on-demand webinar, Best Practices for Efficiently Administering Windows without Domain Admin Privileges
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.