Domain Administrator accounts are often the target of advisories and rightfully so as their access typically gets you into anything you’d like within an organization. However, through years of security testing there are trends of poor account management with this group. Most organizations manage their Domain Administrators group like they would any other security group within their IT systems and below we’ll discuss what you can do to fix that.
Limiting the number of domain administrators not only reduces your attack surface but allows for easier management due to a smaller scope. The domain administrators’ group should only have users that truly need it to perform their job functions. Don’t forget about service accounts, these are often an attackers first target due to attacks such as Kerberoasting and being hardcoded in configuration files. While service accounts frequently require additional access, we’ve found that they are repeatedly over permissioned and in actuality don’t require domain administrative rights.
Your IT administrators should not be running as Domain Administrators to do non-administrative tasks. This behavior often lends itself to leaving password hashes around the network as well as increasing the impact of a successful phishing or social engineering attack. The IT administrators one account for their administrative duties and one that they use all other times for their regular work. Do keep in mind to not make domain administrative accounts easily recognized by naming standards such as adding “DA” or “Admin” before or after the account name. Watch out for password reuse on these two accounts, which the next tip will address.
Privileged accounts should have a significant increase in password requirements in comparison to your regular accounts. It’s recommended to use multi-factor, smart cards, or hardware tokens where possible. While standards such as CIS can give guidance here, we strongly recommend that it be the minimum that you do and much prefer 20+ character passphrases for domain administrators.
Implementing and advancing a privileged account management (PAM) program can be quite lengthy and costly, but it’s a worthwhile venture. Most PAM programs attempt to boil the ocean by trying to manage everything and eventually end up managing hardly anything or start with less impactful accounts first and take ages to get to domain administrator accounts. Start with your domain administrator accounts first for management. Be sure to enforce checkout, password change after each use, and high security password requirements.
Just-in-time (JIT) provisioning is starting to become more popular as organizations move to automated systems and cloud environments. This same principle can be applied to the domain administrators’ group where as the “Domain Admins” group is empty until access is needed in which case it is applied and removed immediately after use. If you can get this right it’s a great step into a more secured environment, however special attention needs to be on the access provisioning process.
Adding a domain administrative account is seldom a common activity so setting up alerting when a new user is added is a great security practice. To take this to the next level, we recommend that anytime an account is added it is alerted and immediately removed through automation unless an exception process is followed. Occasionally attackers will create their own domain administrative accounts and name them to something inconspicuously in hopes of remaining under the radar and this practice could detect and possibly deter this from happening.