Domain Administrator accounts are often the target of advisories and rightfully so as their access typically gets you into anything you’d like within an organization. However, through years of security testing there are trends of poor account management with this group. Most organizations manage their Domain Administrators group like they would any other security group within their IT systems and below we’ll discuss what you can do to fix that.
1) Practice Least Privilege
Limiting the number of domain administrators not only reduces your attack surface but allows for easier management due to a smaller scope. The domain administrators’ group should only have users that truly need it to perform their job functions. Don’t forget about service accounts, these are often an attackers first target due to attacks such as Kerberoasting and being hardcoded in configuration files. While service accounts frequently require additional access, we’ve found that they are repeatedly over permissioned and in actuality don’t require domain administrative rights.
2) Separate Administrative and Regular Accounts
Your IT administrators should not be running as Domain Administrators to do non-administrative tasks. This behavior often lends itself to leaving password hashes around the network as well as increasing the impact of a successful phishing or social engineering attack. The IT administrators one account for their administrative duties and one that they use all other times for their regular work. Do keep in mind to not make domain administrative accounts easily recognized by naming standards such as adding “DA” or “Admin” before or after the account name. Watch out for password reuse on these two accounts, which the next tip will address.
3) Enhance Password Requirements
Privileged accounts should have a significant increase in password requirements in comparison to your regular accounts. It’s recommended to use multi-factor, smart cards, or hardware tokens where possible. While standards such as CIS can give guidance here, we strongly recommend that it be the minimum that you do and much prefer 20+ character passphrases for domain administrators.
4) Manage These Accounts First
Implementing and advancing a privileged account management (PAM) program can be quite lengthy and costly, but it’s a worthwhile venture. Most PAM programs attempt to boil the ocean by trying to manage everything and eventually end up managing hardly anything or start with less impactful accounts first and take ages to get to domain administrator accounts. Start with your domain administrator accounts first for management. Be sure to enforce checkout, password change after each use, and high security password requirements.
5) JIT Provisioning
Just-in-time (JIT) provisioning is starting to become more popular as organizations move to automated systems and cloud environments. This same principle can be applied to the domain administrators’ group where as the “Domain Admins” group is empty until access is needed in which case it is applied and removed immediately after use. If you can get this right it’s a great step into a more secured environment, however special attention needs to be on the access provisioning process.
6) Setup Alerts with Automatic Actions
Adding a domain administrative account is seldom a common activity so setting up alerting when a new user is added is a great security practice. To take this to the next level, we recommend that anytime an account is added it is alerted and immediately removed through automation unless an exception process is followed. Occasionally attackers will create their own domain administrative accounts and name them to something inconspicuously in hopes of remaining under the radar and this practice could detect and possibly deter this from happening.
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers. Pentest Services: https://tcm-sec.com/our-services/ Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | InstagramContact Us: [email protected]