Domain, Schema and Enterprise administrators hold the keys to your Active Directory (AD) kingdom, but it’s not uncommon to find organizations routinely issuing new IT hires with domain administrator privileges to expedite access for support purposes, or at best a proliferation of privileged accounts lying dormant and unaudited, giving attackers a potential way in to your systems.
If it’s a revelation that domain administrator privileges aren’t required to add, delete, or otherwise modify AD objects, then keep reading, because IT staff don’t need to be domain administrators to add devices to the domain or log in using Remote Desktop either. In fact, I can’t think of any reason why a member of IT staff should be permanently granted privileged access to AD.
Get Organized – OUs and Delegation
Applying the principle of least privilege to Active Directory is relatively easy to achieve with a well thought out administration model. Organizational Units (OUs) can be used to group AD objects, and in turn permissions delegated to ensure that IT staff can only modify and add objects to OUs that don’t contain privileged accounts.
Performing a risk assessment should and determining the likelihood that a compromised account might lead to a network breach can help you design a delegation model that improves security and also allows IT to perform everyday AD administration tasks without permanently assigned domain admin privileges.
The Delegation of Control Wizard in Active Directory Users and Computers (ADUC) provides a quick and easy way to grant IT staff permissions to perform administration tasks, such as creating new user accounts and adding them to groups. Group Policy can also be used to enforce group membership, reducing the probability that a rogue administrator might add themselves to a privileged group.
Windows PowerShell Just-Enough-Administration (JEA) provides IT support staff with remote access endpoints that are restricted to a limited set of modules, cmdlets and parameters. Additionally, JEA can be configured to provide elevated privileges without revealing the password for a privileged account.
JEA constrained endpoints provide a level of flexibility in Windows that enables least privilege security to be achieved more easily than ever before. If your IT staff aren’t up to speed with PowerShell, GUI tools can be created that use PowerShell to perform the actual tasks. Two examples of this are the Exchange Administration Center (EAC) and the Active Directory Administrative Center (ADAC), both of which use PowerShell to execute jobs in the background.
Read-Only Domain Controllers
Domain controllers (DCs) are often physically exposed in branch offices and sometimes it’s hard to avoid giving privileged access, especially if the device doubles up as a file server or performs some other function. Read-Only Domain Controllers (RODCs) don’t store password attributes in their copy of the AD database, but can be configured to cache passwords of users who regularly log in at the remote location. But not only that, and unlike writeable domain controllers, it’s possible to delegate local administrator privileges to the device without granting access to AD, which is ideal for general maintenance purposes.
Audit AD for Domain Administrators
Restricting the use of domain administrator privileges and implementing an administration model will significantly improve the security posture of Active Directory using the techniques outlined above and others. A good place to start is to audit Active Directory for use of domain administrative privileges and eliminate as many accounts as possible.