The users who are in your domain administrators group have the keys to the kingdom. With few exceptions (non-Windows systems), they can access any system and any file in your network. This includes the privacy information, HR information, and intellectual property that you are trying to protect. As such, the domain administrators group must be heavily guarded from attack. In today’s blog, we are going to look at a few key security considerations for domain admins.
This first one is pretty obvious, but you should limit access to the domain administrators group. It should not be automatically assumed that everyone in IT needs access to this group. One of the core principles of information security is the principle of least privilege. This states that users should be given the least amount of permissions and access possible for them to still be able to perform their job. There is a legitimate need for some users to have a domain administrator account and I am not telling you to blindly remove everyone from that group. However, I am telling you everyone in that group better have a good reason to be there.
Another thing to consider when limiting access to the domain administrator group is service accounts. Your service accounts will need elevated permissions, but most do not need domain administrator permissions. There is a widely known attack called “Kerberoasting” that lets anyone with a valid user account obtain the hashed password for all service accounts on your network. These can then be taken offline to perform password attacks. The Kerberoasting attack leverages inherent weaknesses within the Kerberos protocol and, as such, the best defense is to have strong randomly generated passwords for your service accounts and to lock down the permissions associated with those service accounts based on least privilege. Hence, remove them from the domain administrator group if at all possible.
Not Shared and Separate
Another key security consideration for domain admins is that each domain administrator should be using a separate, unique low-level account for all of their day-to-day activity that does not require elevated permissions. Browsing the web, checking email. and other daily activities are more dangerous and expose the user if they accidentally click on a link they shouldn’t or download something dangerous. As such, administrators should have a separate account that they use to log into their workstation every day and perform these more risky activities, and then they will elevate with the domain administrator account only when performing necessary IT functions. This greatly reduces the exposure of these more privileged accounts.
Additionally, shared administrative accounts should be avoided. With shared accounts, the password is shared and probably written down somewhere, making it generally less secure. Additionally, shared accounts prevent non-repudiation. Essentially, if one user decides to go rogue and cause damage, because the account is shared, you cannot prove who performed the malicious actions.
Stringent Access Requirements
Consider longer password policies for domain administrator accounts (I would personally recommend making a 20+ character passphrase). Additionally, implement multi-factor authentication for these accounts. This can be done with smart cards, a third-party authenticator app like Duo, or even a small hardware token like a Yubikey. Finally, your logging and alerting for these accounts needs to be increased. When performing penetration testing, every time I gain access to a domain administrator account, I use it to create a new account with domain admin credentials. Your organization should have alerts set up for when a new user account is added to the “Domain Admins” group in Active Directory. This is a high value alert, as even if someone is legitimating adding a user account to that group, you’re team should be aware and ensure the proper documentation/approvals are in place for the addition.
These are of course just a few key security considerations for the domain admins in your organization. There are a variety of other access control measures and privileged identity management techniques that your organization can use to address these risks. The items here are a great starting place though!