Active Directory is a gateway for hackers to your entire IT infrastructure. Despite this, IT staff are routinely granted privileged access to Active Directory, which leaves the environment susceptible to threats, and may allow malicious actors to infiltrate the deepest levels of your infrastructure, while hiding their tracks. But a few, simple Active Directory security best practices can significantly reduce the risk of a breach.
The principle of least privilege is a well-known security paradigm that dictates users should be granted only the rights required to perform designated tasks. IT staff are often given domain admin privileges to Active Directory (AD) to expedite access to domain controllers (DCs) and administrative access to servers and end-user devices. But domain admin privileges are not required for managing Active Directory or for supporting servers and workstations. When domain admin rights are required, they should be granted for a time-limited period, and only used on systems secured to the same standards as domain controllers.
Want to learn more? Join me in my webinar "8-Step Guide to Administering Windows without Domain Admin Privileges".
The misuse of privileged AD accounts is not the only issue. Because so many organizations have staff logging on to their PCs with local administrative rights, privileged access to AD can be easily obtained without knowing the username and password of a domain administrator account. Password attack techniques like Pass-the-Hash (PtH) and Pass-the-Token allow hackers to access AD using privileged accounts. The existence of admin rights on end-user devices provides hackers with everything needed to exploit Windows and accounts that have logged on.
It might seem logical to conclude that this is a Windows security problem. But in fact, the same issues apply to other platforms. The difference is in the way Windows is used. Part of the problem is that many IT professionals have a limited understanding of the Windows and AD security model. Privileged access to AD isn’t required to reset user passwords. But how do you give the necessary access without issuing domain admin rights? Similarly, domain admin rights are not required to give IT support staff Remote Desktop and local admin access to end-user devices.
Secondly, Windows has historically given users full access to the operating system. It wasn’t until 1989 that Microsoft started to develop Windows NT - a secure, multi-user operating system based on IBM and Microsoft’s OS/2. Windows 3.x, 95, 98, and ME had no concept of different levels of user access. This foundation led to users having certain expectations about the level of access they should have to the OS and an indifferent relationship to security among system administrators. But even with the introduction of Windows NT, using Windows without admin privileges wasn’t easy because the OS wasn’t designed to facilitate the use of standard user accounts.
A More Secure Windows
Fast forward twenty years and using Windows without admin privileges is now a reality – if not perfect. Most regular Active Directory tasks can be performed without privileged access. User Account Control (UAC), while primarily a consumer technology, makes it possible use Windows with a standard user account most of the time. And as part of the work Microsoft undertook with UAC, tasks that were previously impossible to perform without administrative rights can now be run as a standard user.
Join me on, for a webinar where I will examine how to secure and restrict the use of privileged Active Directory accounts, while still enabling IT staff to manage AD, administer domain controllers, and support servers and end-user devices. Topics covered will include:
- Managing built-in administrator accounts
- Delegating access to Active Directory
- Using PowerShell for remote administration
- Managing access to privileged domain groups