Securing Active Directory Administrators Groups

Shaun VermaakCOG Lead Engineer
CERTIFIED EXPERT
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
Published:
A hard and fast method for reducing Active Directory Administrators members.

Introduction


Anyone that have gone through any security hardening process can confirm that simply saying something was done incorrectly does not mean that you can just apply suggested remediation steps, especially in a mature environment.


Take recommendation Appendix E, F and G from the AD DS Operations Best Practices for Securing Active Directory for example, even though I agree with all of the points, just removing user accounts from the Administrators groups (Enterprise Admins, Domain Admins or Administrators) without addressing the application requirement could have a significant impact on daily operations.


Based on my experience, the biggest reason why user and service accounts were added to Domain Admins and the like was that default delegation model in Active Directory lacks an appropriate group that just gives server/workstation administrative rights.


This article describes the process of creating these delegation groups so that members of Domain Admins etc. can be removed without any impact, drastically increasing Active Directory overall security. It must be stressed that this is an intermediate process, the lesser of two evils if you will and that these other issues will be addressed in future articles.


Creating Global Administrators Delegation

1) WMI Filters

Create WMI filter that will identify the three device types. In the article two of these, All Servers except Domain Controllers and All Workstations will be used. This allows delegation policy to apply to the correct device type dynamically.


a) Create an All Workstations WMI filter according to company naming convention

Select * from WIN32_OperatingSystem where ProductType=1



b) Create an All Domain Controllers WMI filter according to company naming convention

Select * from WIN32_OperatingSystem where ProductType=2



c) Create an All Servers except Domain Controllers WMI filter according to company naming convention

Select * from WIN32_OperatingSystem where ProductType=3



2) Groups

Create a group for each device type and a group that will have rights to all device types. These will contain the administrators for each device type.


a) Create Global Server Administrators group, Global Workstations Administrators group and Global Administrators group according to company naming convention.



b) Add Global Administrators group as a member of both Global Server Administrators group and Global Workstations Administrators group.



3) Group Policies

Create a group policy for each device type. It should filter based on the device types and will contain the delegation settings.


3.1) Global Server Administrators Group Policy


a) Create new GPO and name it according to company naming convention. It will contain the configuration of the Global Server Administrators group.



b) Ensure group policy is linked from domain root and that it is enforced. Link the All Servers except Domain Controllers WMI filter to group policy.



c) Add Administrators group to Restricted Groups and add Global Server Administrators group as a member. This is mainly done for legacy devices.



d) Add Administrators (built-in) group to Local Users and Groups preference update item and add Global Server Administrators group as a member.


3.2) Global Workstations Administrators Group Policy


a) Create new GPO and name it according to company naming convention. It will contain the configuration of the Global Workstation Administrators group.



b) Ensure group policy is linked from domain root and that it is enforced. Link the All Workstations WMI filter to group policy.



c) Add Administrators group to Restricted Groups and add Global Workstation Administrators group as a member. This is mainly done for legacy devices.



d) Add Administrators (built-in) group to Local Users and Groups preference update item and add Global Workstation Administrators group as a member.


4) Remove User/Service Accounts

At this point, everything is ready to start removing accounts from Administrators groups by following the following logic:


Account Requirement
Action
Account requires AD rights
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and temporarily into Account Operators group until correct rights can be determined
Account requires Administrators rights to all devices
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and add to Global Administrators group
Account requires Administrators rights to servers
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and add to Global Server Administrators group
Account requires Administrators rights to workstations
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and add to Global Workstation Administrators group


Please note: It is best to add these user/service accounts to role groups as explained in this article:

https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html


Conclusion

Adding user accounts to Administrators groups (Enterprise Admins, Domain Admins or Administrators) puts the environment at a significant risk because these user accounts can dump all the Active Directory hashes, bypassing all security and auditing mechanisms. The above process can be used to drastically reduce the number of Admin members.


The hash extraction process is explained d in this article:

 https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html


Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.
It also provides me with positive feedback. Thank you!



9
3,558 Views
Shaun VermaakCOG Lead Engineer
CERTIFIED EXPERT
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.

Comments (2)

IT GuySys Admin/Windows Admin

Commented:
What AD group(s) or delegation of rights can I use to remove current administrators from the domain admin group while still allowing these administrators to:

1. Remote desktop into a domain controller

2. Only have the right to manage Active Directory users and computers without having the rights to manage any other server or Active Directory functions.
Shaun VermaakCOG Lead Engineer
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Author

Commented:
1) Create a group and give it allow to RDP via GPO. Do not add it to administrators group.

2) Delegate user rights. Delegate computer rights only on computer OUs

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.