Skip to content

Securing Domain Admins

MITRE ATT&CK: Privilege Escalation ยท MITRE D3FEND: User Account Permissions

By default, Domain Admins are members of the local administrator's group on all member servers and workstations. This poses a huge security risk to the environment. When an attacker has the privileges to a host which a domain administrator logs into, it is possible to capture the credentials of the domain administrator account. This then allows the attacker to gain full control of the Active Directory and thus take control of the entire Windows domain.

Audit (GUI)

Audit (PowerShell)

Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name

Configuration

Use only Domain Administrator accounts to log on to the Domain Controllers. create separate accounts for the following tasks:

  1. Server Administration
  2. Workstation Administration
  3. Azure Administration
  4. Domain Administration

In the GPO linked to the members servers and the workstations, the Domain Admins group should be added to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignmentssource:

  • Deny access to this computer from the network
  • Deny log on as a batch job
  • Deny log on as a service
  • Deny log on locally
  • Deny log on through Remote Desktop Services user rights

User Impact

This change has no negative impact on the end user. For the IT department it does, they need to manage multiple user accounts to manage the Windows environment.