Restrict Domain Administrator to workstations only
Experts, I need to figure out a way to give our computer technician full access to our workstations. Some programs require a domain admins credentials to override the permissions to allow the installation of new programs.
Problem is...
By giving him a domain admin, he now can remote into any of our servers. How can I block his server access, but still allow him to have admin access over the workstations?
Problem is...
By giving him a domain admin, he now can remote into any of our servers. How can I block his server access, but still allow him to have admin access over the workstations?
ASKER
McKnife, Thanks for the clarification, can you provide more details on exactly how to implement your recommendation?
Thank you!
Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
McKnife - You're the Best!!!!
I set it up, and it works exactly how we want.
I appreciate you taking the time to create the diagrams.
Thank you,
dheinmiller
I set it up, and it works exactly how we want.
I appreciate you taking the time to create the diagrams.
Thank you,
dheinmiller
I'll suggest a different approach.
1. Create a "Workstation Admins" user group in AD. Add that group to the local administrator's group of all workstations (should be possible with Group Policy). Then you can add your technicians to that group which will give them all the rights they need to install just about anything on the workstations but prevents them from logging in to the servers.
2. Same as 1, except create separate workstation admin accounts for each technician to maintain accountability and prevent potential issues if a technician ever does something stupid and gets themselves infected with a worm. (To be clear, you still create a Workstations Admin group and assign it to the local workstations, but then, instead of using the technician's existing account (example, "John"), you create an account called "John-WA" which the technician must use for administration of the workstations - that John-WA account is the one that gets placed in the Workstation Admins group and is used by the technician).
1. Create a "Workstation Admins" user group in AD. Add that group to the local administrator's group of all workstations (should be possible with Group Policy). Then you can add your technicians to that group which will give them all the rights they need to install just about anything on the workstations but prevents them from logging in to the servers.
2. Same as 1, except create separate workstation admin accounts for each technician to maintain accountability and prevent potential issues if a technician ever does something stupid and gets themselves infected with a worm. (To be clear, you still create a Workstations Admin group and assign it to the local workstations, but then, instead of using the technician's existing account (example, "John"), you create an account called "John-WA" which the technician must use for administration of the workstations - that John-WA account is the one that gets placed in the Workstation Admins group and is used by the technician).
To expand even further:
We use an altogether different concept for security reasons.
I might publish an article soon as a step-by-step.
The main idea is to use single admins, one per supported workstation, so that if one of those accounts gets compromised (using mimikatz or the like), the attacker would only gain admin access to one workstation and not all. Apart from that, the account is only activated for the time of the support incident, so it will be very hard to exploit that.
All is managed by a script and not complicated at all.
As soon as I have completed my article, I will link it here.
We use an altogether different concept for security reasons.
I might publish an article soon as a step-by-step.
The main idea is to use single admins, one per supported workstation, so that if one of those accounts gets compromised (using mimikatz or the like), the attacker would only gain admin access to one workstation and not all. Apart from that, the account is only activated for the time of the support incident, so it will be very hard to exploit that.
All is managed by a script and not complicated at all.
As soon as I have completed my article, I will link it here.
ASKER
Thanks Guys!
I look forward to seeing the article...
I look forward to seeing the article...
McKnife's environment may well need that level of security. If you do, fine. Keep in mind that Security is balance - you cannot limit productivity too much - and what happens when the machine in question is off the domain for any reason or can't communicate with the machine that runs the script to activate the account. My solutions don't fully address that issue either, but USUALLY, where you have a small number of technicians, they will have cached accounts making that aspect less important.
ASKER
Lee, I will keep that in mind.
Thanks for the info!
Thanks for the info!
ASKER
Thanks McKnife!
Very Interesting and useful article!
Very Interesting and useful article!
You should setup a support user and have that one added to the local admins group using the restricted groups feauteur e inside GPOs. Then apply that GPO to workstations only.