Related Articles
Active Directory Security Group Permissions – In this guide, I share my recommendations for Active Directory security and how you can improve the security of your Windows domain environment.
You don’t have to spend a fortune to improve security, there are many cost and low cost solutions that I will show you in this guide.
Active Directory Security Group Permissions
In many organizations, Active Directory is a centralized system that authenticates and authorizes access to the network. Even in a cloud or hybrid environment, it can be a centralized system that provides access to resources. When accessing a document on the network, OneDrive, printing to a network printer, accessing the Internet, checking your email, and so on, all these resources go through Active Directory to give you access.
Describes Controls To Remedy Mutliple Active Directory Security Issues
Active Directory has been around for a long time and over the years malicious actors have discovered vulnerabilities in the system and ways to exploit them. In addition to the vulnerabilities, it is very easy for hackers to steal or obtain user credentials which can then give them access to your data. If they gain access to your computer or your login they can gain full access to Active Directory and your network.
Domain administrators and members of other privileged groups are extremely powerful. They can have access to the entire domain, all systems, all data, computers, laptops etc.
It is recommended to have day-to-day user accounts in the domain administrators group, with the default domain administrator account being the only exception.
When DA access is required, Microsoft recommends that you temporarily place the account in the DA group. You should remove the account from the DA group after the job is done.
Active Directory Permissions Explained
Once an attacker gains access to a system they can move laterally within the network to gain higher permissions (domain administrators).
Pass the Hash allows an attacker to use a password hash to authenticate to remote systems instead of a normal password. These hashes can be obtained from end-user computers.
All it takes for an attacker to compromise a network is a compromised computer or user account.
Cleaning up a group of domain administrators is a good first step to increasing your network security. It can slow attackers down with courage.
Free Permissions Analyzer For Active Directory
The process of removing accounts from a DA group is not easy. I know first hand because I recently went through this process. It is very common to have several accounts in a DA group.
You should not log in daily with a local administrator or an account with special access (domain administrator).
Instead create two accounts, a regular account with no administrative rights and a special account used only for administrative tasks.
Instead, follow a least-privilege governance model. Basically, this means that all users must log in with an account that has minimal permissions to complete their work.
Track And Audit Active Directory Group Membership Changes
This is not a Microsoft best practice and I advise against it. Again temporary is ok but should be removed as soon as the job is done.
That said, Microsoft doesn’t make it easy to walk away from domain administrator rights. There is no easy process to assign rights to all systems like DNS, DHCP, Group Policy, and so on. This is often the reason many people have domain administrator rights.
You should use a normal non-administrator account for daily tasks like checking email, browsing the internet, ticketing, etc. You use a special account only when you need to perform administrative tasks such as creating users in Active Directory, logging into a server, adding a DNS record, etc.
Steve logs into his computer with a special account, checks his email, and inadvertently downloads a virus. Since Steve is a member of the DA group, the virus has full rights to his computer, all servers, all files, and the entire domain. This can cause serious damage and cause critical systems to collapse.
Attack Paths In Active Directory: What You Should Know
Now, take the same scenario but this time Steve is logged in with his usual non-administrator account.
Steve checks his email and inadvertently downloads a virus. The virus has limited access to the computer and no access to the domain or other servers. This will cause minimal damage and prevent the virus from spreading through the network.
Some organizations use more than two accounts and use a tiered approach. It is more secure than protest but may be uncomfortable for some.
Each domain contains an administrator account, which by default is a member of the Domain Administrators group.
Audit Active Directory Group Memberships With Powershell
The built-in administrator account should only be used for domain setup and disaster recovery (restoring Active Directory).
No one should know the domain administrator account password. Set a really long 20+ character password and lock it in a vault. It is needed again only for recovery purposes.
Additionally, Microsoft has several recommendations for securing the built-in administrator account. These settings can be applied to Group Policy and applied to all computers.
See this Microsoft article for more details on securing the domain administrator account, built in administrator accounts in Active Directory
Lab Of A Penetration Tester: Race
An attacker only needs to compromise one system, and now they have local administrator rights on every domain-joined computer. They can use this account to pivot to another system with the goal of finding domain administrator access.
If you need to perform administrative tasks on the computer (install software, delete files, etc.) you should do so with your personal account, not the local administrator account.
You can boot into safe mode and use the local administrator account even if the account is disabled.
What if the network goes down or the NIC card dies, and you need to drop it from the domain and re-add it? There are ways around this but it really slows you down.
Best Active Directory And Office 365 Management Software For Small To Medium Business In 2023
If you are unable to deactivate the account, here are recommendations to secure the account. A better alternative is to use the Microsoft Lapse tool (covered in tip #5 below)
Local Administrator Password Solution (LAPS) is becoming a popular tool for managing the local administrator password on all computers.
LAPS is a Microsoft tool that provides management of local account passwords for domain-joined computers. It sets a unique password for each local administrator account and stores it in Active Directory for easy access.
It is one of the best free options for mitigating against hash attacks and computer-to-computer lateral movement.
Best Active Directory Security Tools [2023 List]
It is very common for organizations to deploy Windows using an image-based system. This makes it quick to deploy a standard configuration to all devices.
This means that the local administrator account is the same on every computer. Since the local administrator account has full rights to everything on the computer, all it takes is for one of them to be compromised, then a hacker can access all systems.
The solution uses a Group Policy client-side extension to perform all management tasks on workstations. It is supported in Active Directory 2003 SP1 and above and Client Vista Service Pack 2 and above.
If you need to use a local administrator account on a computer you retrieve the password from Active Directory and it is unique to a single computer.
Create An Interactive Active Directory Html Report With Powershell
A secure administrative workspace is a dedicated system that should only be used to perform administrative tasks with your special account.
It should not be used to check email or browse the Internet. Actually…it shouldn’t have internet access.
Basically, whenever you need to use your special account to perform administrative tasks you should be doing it from SAW. Everyday use workstations are more vulnerable to compromise from hashes, phishing attacks, fake websites, keyloggers and more.
Using a secure workspace for your elevated account provides additional protection from those attack vectors. It is better to adopt a breach security posture as attacks can come from both internal and external.
Ntfs Permissions Vs Share: Everything You Need To Know
The method of how to deploy a SAW continues to change due to constant threats and technology changes. To make it even more confusing there are also PAW and Jump servers.
It may seem like a hassle but I actually find it more convenient this way. I can remote in when the network is off and have a server with all the tools I need. I don’t have to worry about re-installing all my support software if I need to re-image my computer.
Ensure that the following audit policy settings are configured in Group Policy and applied to all computers and servers.
Malicious activity often starts at workstations, where you may miss early signs of an attack if you don’t monitor all systems.
Powershell Osd Scripts To Add/remove Computer From Ad Group And Set Ad Description
You should monitor the following Active Directory events to help detect compromise and abnormal behavior on the network.
A better way is to store all logs on a centralized server and then use log analyzing software to generate reports.
Some log analyzers come pre-built with Active Directory security reports, and others you’ll need to build yourself.
With a good log analyzer, you should be able to quickly identify suspicious activity in your Active Directory environment.
Most Common Mistakes In Active Directory And Domain Services
Here are some screenshots from the analyzer I use.
