Securing machines on a domain from malware/ransomware

Hi
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network

Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.  

Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation

Compromising of credentials stored in memory via LSASS seems pretty easy

As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)

What are your thoughts on this?
Mystical_IceAsked:
Who is Participating?
 
masnrockCommented:
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access)
I wouldn't say most, just some. An increasing number are doing this. Yet conversely, I still see a number of networks where this doesn't hold true.

.. but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
This is true. Some places feel that users should be able to do whatever they need on their local machines. With the number of threats out there, an increasing number of people are realizing that the idea of least privilege actually helps keep networks more secure. In turn, more networks are utilizing this philosophy... however, getting there is never easy (it's harder to take away rights than to provide them). The less rights an account has, the less damage a compromised account can do to a network. Now, let's be honest: there are going to be times where exceptions to not granting local admin rights must be made, be it for reasons related to the type of user or the software that they utilize (a number of programs require admin rights to work properly).

Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
There are times where this is necessary. It's not a good idea for there to be excessive admin accounts. Also not a good idea for people to have a domain admin account as their regular account.

... it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
A more appropriate wording would be a sservice account that has the rights that it needs on the local system(s).

Now that said, this is only a subset of what should be in place. User education on phishing and potentially malicious emails are very important as well. A good spam filter should be in place with your email. There should also be appropriate use and security policies in place as well. Within the scope of security policies would include password standards/requirements incident response, and disaster recovery. Backups are also very important, along with ensuring proper endpoint protection (malware, virus, etc.). Web monitoring and filtering are also very beneficial, as these are things that will help you track down problems if any occur. Also maintain as few remote access mechanisms as possible. Do not allow RDP directly into your network (an RD Web Gateway is acceptable).
1
 
McKnifeCommented:
Hi Mystical_Ice.

Those are all valid concerns. That you ask for opinions, suggests that you are at the very beginning of tightening security by adopting known best practices. I strongly suggest to split this question into at least three separate ones, so the discussion will be more focused and the advice given can be more precise.

->support account usage
->service account usage (maybe together with the 1st as one question)
->general malware/ransomware prevention
->firewall usage (prevention of spreading out)
0
 
Ajit SinghCommented:
Simple things you can do to protect against ransomware attacks:

Good password policy
Update regularly
Securing the router
Proper backing up of data
Educating the employees
Breach response
Installing centralized firewalls
Encrypted transmission
Antivirus software
Proactive and continuous auditing

Ways to Protect yourself from Ransomware Attack

Prevent Ransomware attacks by disabling SMB:
https://www.lepide.com/blog/prevent-petya-and-other-ransomware-attacks-by-disabling-smbv1/
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Never required and should not be done ever

As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
Never give DA/EA to service accounts. Always delegate proper rights
1
 
Mystical_IceAuthor Commented:
What is the best situation for an admin that needs to access a user's machine to perform an advanced function (such as join it to the domain initially, install an application, etc)?
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Including an initial account for the build process
1
 
McKnifeCommented:
It's hard for me to follow what you are at. I can only repeat what I said before. Too many topics for just one question. Split it. Reduce this to one question and ask several new questions.
0
 
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- masnrock (https:#a42377847)
-- McKnife (https:#a42377904)
-- Ajit Singh (https:#a42378047)
-- Shaun Vermaak (https:#a42378755)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.