THANK YOU FOR SUBSCRIBING
The concept of ‘least privileged access’ is widely acknowledged and accepted as best practice, but what are you doing to review and protect your accounts with ‘most privileged access’?
Start with your on-prem active directory environment and review the accounts with the highest levels of privilege. In general, the fewer accounts that have local admin permissions and the fewer servers they have access to, the more secure your company will be.
Audit and Reduce the Number of Accounts with Domain Admin and Enterprise Admin Permissions
If you’re not auditing active directory accounts to review your domain admins and enterprise admins, you might be leaving yourself open to significant vulnerabilities. Here are a few steps you should be taking if you are not already-
• Make sure you review the accounts with domain admin and enterprise admin access at least quarterly and track the changes each quarter
• Identify any changes and understand the reasons for adding or removing access
• Remove access (not just disabling accounts) for people who have left the organization
• Eliminate all service accounts from domain admin and enterprise admin. This is a huge dealFor these purposes, I am considering any account that does not require a password change to be a service account
• Wherever possible, remove accounts from domain admin and enterprise admin access and add them as local admins on only those servers they need local admin permissions
Use Dedicated Admin Accounts
Every person with local admin permissions to a server should have 2 separate accounts, and domain admins should have 3 separate accounts
1. their user account which they use for accessing email, their PC, and other services
2. their admin account, which is only used to sign into servers.
3. Their domain admin account, which is only used to sign into domain controllers
The reason for this separation is that the regular user account is used in so many places, that it is much more susceptible to compromise. Using a dedicated account, per user, to access servers significantly increases your security. If a person has domain admin permissions, they should have a third account that has the domain admin permissions and is only used to sign into domain controllers. This is to significantly reduce the risk of compromise on your most highly privileged accounts.
"Reducing the number and scope of accounts with local admin access and working towards the concepts of least privileged access will help secure your company"
The admin account should have a minimum requirement of 12 characters and be complex (uppercase, lowercase, numbers, special characters, and random), making it very difficult to crack.
The domain admin account should have a minimum requirement of 25 characters and be complex (uppercase, lowercase, numbers, special characters, and random), making it even more difficult to crack.
Identify all Local Admins on All Servers in your Domain
Odds are, you will find many more accounts with much wider access and much greater permissions to your servers than you would expect. Each account represents a distinct vulnerability that can be exploited. To help reduce the vulnerabilities that these accounts present, you can and should take 2 different approaches to how you analyze your data.
• For each local admin account, reduce the number of servers to which the account has access to
• For each server, reduce the number of admin accounts with local admin access
To accomplish this, my recommendation is to run a PowerShell script that will identify all of the users with local admin on every server in your domain. Use the output from the PowerShell script to identify the list of unique accounts with local admin permissions, and then count the number of servers on which each account has local admin permissions. Once you have this data collected, sort by the number of servers each account has local admin permissions to, then start with the accounts that have access to the largest number of servers and start working your way down.
From here, there are multiple different ways you should look at this data-
1. Scan for any accounts that belong to people who left the company or changed roles and no longer need access. Remove access immediately.
Scan for any service accounts (accounts whose passwords do not change), especially those with local admin to a large number of servers. Does the account really need access to all of those servers?
• Reduce the scope wherever possible
• Do not be afraid to push back on app owners - leverage your SIEM data to identify what servers these accounts are actually signing into, and reduce access to only those servers showing historical sign-ins
• Scan for regular user accounts that have local admin permissions on servers, and migrate these to dedicated administrator accounts. This way, if their user account gets compromised, it cannot be used to gain access to a server
• Review each admin account, looking at any account has access to significantly more servers than you would expect – again, leverage your SIEM data to identify what servers these accounts are actually signing into, and reduce access to only those servers showing historical sign-ins
By following these steps, you may identify many accounts with excessive permissions that an attacker could exploit to attack your company. Reducing the number and scope of accounts with local admin access and working towards the concepts of least privileged access will help secure your company.