Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Compromising of credentials stored in memory via LSASS seems pretty easy
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
What are your thoughts on this?