<

Securing Active Directory Administrators Groups

Published on
25,776 Points
1,476 Views
8 Endorsements
Last Modified:
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
A hard and fast method for reducing Active Directory Administrators members.

Introduction


Anyone that have gone through any security hardening process can confirm that simply saying something was done incorrectly does not mean that you can just apply suggested remediation steps, especially in a mature environment.


Take recommendation Appendix E, F and G from the AD DS Operations Best Practices for Securing Active Directory for example, even though I agree with all of the points, just removing user accounts from the Administrators groups (Enterprise Admins, Domain Admins or Administrators) without addressing the application requirement could have a significant impact on daily operations.


Based on my experience, the biggest reason why user and service accounts were added to Domain Admins and the like was that default delegation model in Active Directory lacks an appropriate group that just gives server/workstation administrative rights.


This article describes the process of creating these delegation groups so that members of Domain Admins etc. can be removed without any impact, drastically increasing Active Directory overall security. It must be stressed that this is an intermediate process, the lesser of two evils if you will and that these other issues will be addressed in future articles.


Creating Global Administrators Delegation

1) WMI Filters

Create WMI filter that will identify the three device types. In the article two of these, All Servers except Domain Controllers and All Workstations will be used. This allows delegation policy to apply to the correct device type dynamically.


a) Create an All Workstations WMI filter according to company naming convention

Select * from WIN32_OperatingSystem where ProductType=1



b) Create an All Domain Controllers WMI filter according to company naming convention

Select * from WIN32_OperatingSystem where ProductType=2



c) Create an All Servers except Domain Controllers WMI filter according to company naming convention

Select * from WIN32_OperatingSystem where ProductType=3



2) Groups

Create a group for each device type and a group that will have rights to all device types. These will contain the administrators for each device type.


a) Create Global Server Administrators group, Global Workstations Administrators group and Global Administrators group according to company naming convention.



b) Add Global Administrators group as a member of both Global Server Administrators group and Global Workstations Administrators group.



3) Group Policies

Create a group policy for each device type. It should filter based on the device types and will contain the delegation settings.


3.1) Global Server Administrators Group Policy


a) Create new GPO and name it according to company naming convention. It will contain the configuration of the Global Server Administrators group.



b) Ensure group policy is linked from domain root and that it is enforced. Link the All Servers except Domain Controllers WMI filter to group policy.



c) Add Administrators group to Restricted Groups and add Global Server Administrators group as a member. This is mainly done for legacy devices.



d) Add Administrators (built-in) group to Local Users and Groups preference update item and add Global Server Administrators group as a member.


3.2) Global Workstations Administrators Group Policy


a) Create new GPO and name it according to company naming convention. It will contain the configuration of the Global Workstation Administrators group.



b) Ensure group policy is linked from domain root and that it is enforced. Link the All Workstations WMI filter to group policy.



c) Add Administrators group to Restricted Groups and add Global Workstation Administrators group as a member. This is mainly done for legacy devices.



d) Add Administrators (built-in) group to Local Users and Groups preference update item and add Global Workstation Administrators group as a member.


4) Remove User/Service Accounts

At this point, everything is ready to start removing accounts from Administrators groups by following the following logic:


Account Requirement
Action
Account requires AD rights
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and temporarily into Account Operators group until correct rights can be determined
Account requires Administrators rights to all devices
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and add to Global Administrators group
Account requires Administrators rights to servers
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and add to Global Server Administrators group
Account requires Administrators rights to workstations
Remove from Administrators groups (Enterprise Admins, Domain Admins or Administrators) and add to Global Workstation Administrators group


Please note: It is best to add these user/service accounts to role groups as explained in this article:

https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html


Conclusion

Adding user accounts to Administrators groups (Enterprise Admins, Domain Admins or Administrators) puts the environment at a significant risk because these user accounts can dump all the Active Directory hashes, bypassing all security and auditing mechanisms. The above process can be used to drastically reduce the number of Admin members.


The hash extraction process is explained d in this article:

 https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html


Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.
It also provides me with positive feedback. Thank you!



8
Comment
0 Comments

Featured Post

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Join & Write a Comment

Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month