Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Effectively Administer Windows - Without Domain Admin Privileges

September 3, 2019

  • Blog
  • Archive

Many organizations provision domain administrator privileges to IT helpdesk and support staff to expedite management of Active Directory (AD), end-user devices, and servers. While domain admin rights are required to perform some high-level AD tasks, they are not needed for day-to-day management of domain-joined PCs, servers, or AD. The Domain Admins group is added to the local Administrators group on every domain-joined device, so one way to provide remote access for IT staff is to simply add accounts to the Domain Admins group.

But with domain admin privileges comes great responsibility. Domain admin rights grant complete access to the domain and, potentially, the ability to get access to any parent domains in the forest. They are the keys to your kingdom and anybody who has access to them can provide themselves, or inadvertently a hacker, the ability to wipe out all systems joined to the domain and gain access to confidential systems and data.

When users log in to devices with administrator privileges, it makes the hacker’s job easier and it can lead to pass-the-hash (PtH) attacks, where security tokens are used to log in as a user regardless of whether the hacker knows an account password. Cached credentials, access to the Security Accounts Manager (SAM) database, and unsanctioned changes all pose a risk—not only to individual devices, but also to all systems where administrator rights are used for everyday computing tasks.

3 Rules for Active Directory Administration

When planning how you will manage Windows and Active Directory, bear in mind these three rules:

1. Isolate domain controllers

Use virtual machines (VMs) where necessary. This makes it easier to remove domain admin rights from IT staff. If domain controllers (DCs) are only performing one function, it is less likely you will need to grant access for staff to maintain other applications or server roles.

2. Delegate privileges using the Delegation of Control Wizard

IT staff that need access to AD for resetting passwords and performing everyday user and group management tasks can be delegated privileges to do just that—without any privileged access to the directory.

3. Use the Remote Server Administration Tools (RSAT) or PowerShell to manage Active Directory

Interactive logins to domain controllers at the console or using Remote Desktop (RDP) should be avoided. When IT staff must access a DC using a privileged account, use a Privileged Access Workstation (PAW) that is secured to the same standard as your DCs. For example, DCs and PAWs in general should not have access to the Internet. Domain controllers can be patched using Windows Server Update Services (WSUS) and/or System Center Configuration Manager (SCCM); and DC event logs should be forwarded to a SIEM or a Windows member server. If regular access is needed for DCs to perform a specific function, consider using PowerShell Just Enough Administration (JEA) to grant access.

Local Accounts for Remote Support

If you have unique local administrator passwords set on each domain-joined device, you can enable remote network access for local accounts. Using unique passwords on each device blocks PtH attacks and prevents compromised domain accounts from accessing all servers and workstations. Microsoft’s Local Administrator Password Solution (LAPS) helps organizations set unique local administrator passwords and then securely store them in AD where they can be accessed and managed by approved staff. However for enterprise password management that extend beyond this simple use case, you will need to leverage third-party solutions, such as BeyondTrust Password Safe.

Domain Accounts for Remote Support

If you are not able to use local accounts, the alternative is to use domain accounts. Instead of adding accounts to the Domain Admins group, one option is to create a group for each domain-joined device, configure Group Policy Preferences to add the groups to the devices, and then add IT staff accounts to the new domain groups as needed. The process of creating groups can be automated using PowerShell.

While this isn’t as bulletproof as using unique local accounts on each device, creating domain groups is more secure than adding accounts to the Domain Admins group. You just need to watch out for token bloat if you add users to many groups.

Eliminate Use of Administrator Accounts

If you are currently using domain admin privileges for managing AD, servers, and end-user devices, devise a plan to remove that access and delegate control to protect Active Directory and other systems from attack or accidental changes. If you want to completely remove administrator rights, a third-party Privileged Access Management (PAM) solution, such as those provided by BeyondTrust, can help you completely and efficiently eliminate use of administrator accounts.

For a deeper dive on this topic, check out my on-demand webinar, Best Practices for Efficiently Administering Windows without Domain Admin Privileges
Photograph of Russell Smith

Russell Smith, IT Consultant & Security MVP

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.

Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.