The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.
Securing machines on a domain from malware/ransomware
Hi
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Compromising of credentials stored in memory via LSASS seems pretty easy
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
What are your thoughts on this?
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Compromising of credentials stored in memory via LSASS seems pretty easy
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
What are your thoughts on this?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Hi Mystical_Ice.
Those are all valid concerns. That you ask for opinions, suggests that you are at the very beginning of tightening security by adopting known best practices. I strongly suggest to split this question into at least three separate ones, so the discussion will be more focused and the advice given can be more precise.
->support account usage
->service account usage (maybe together with the 1st as one question)
->general malware/ransomware prevention
->firewall usage (prevention of spreading out)
Those are all valid concerns. That you ask for opinions, suggests that you are at the very beginning of tightening security by adopting known best practices. I strongly suggest to split this question into at least three separate ones, so the discussion will be more focused and the advice given can be more precise.
->support account usage
->service account usage (maybe together with the 1st as one question)
->general malware/ransomware prevention
->firewall usage (prevention of spreading out)
Simple things you can do to protect against ransomware attacks:
Good password policy
Update regularly
Securing the router
Proper backing up of data
Educating the employees
Breach response
Installing centralized firewalls
Encrypted transmission
Antivirus software
Proactive and continuous auditing
Ways to Protect yourself from Ransomware Attack
Prevent Ransomware attacks by disabling SMB:
https://www.lepide.com/blog/prevent-petya-and-other-ransomware-attacks-by-disabling-smbv1/
Good password policy
Update regularly
Securing the router
Proper backing up of data
Educating the employees
Breach response
Installing centralized firewalls
Encrypted transmission
Antivirus software
Proactive and continuous auditing
Ways to Protect yourself from Ransomware Attack
Prevent Ransomware attacks by disabling SMB:
https://www.lepide.com/blog/prevent-petya-and-other-ransomware-attacks-by-disabling-smbv1/
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstationNever required and should not be done ever
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)Never give DA/EA to service accounts. Always delegate proper rights
What is the best situation for an admin that needs to access a user's machine to perform an advanced function (such as join it to the domain initially, install an application, etc)?
It's hard for me to follow what you are at. I can only repeat what I said before. Too many topics for just one question. Split it. Reduce this to one question and ask several new questions.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- masnrock (https:#a42377847)
-- McKnife (https:#a42377904)
-- Ajit Singh (https:#a42378047)
-- Shaun Vermaak (https:#a42378755)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- masnrock (https:#a42377847)
-- McKnife (https:#a42377904)
-- Ajit Singh (https:#a42378047)
-- Shaun Vermaak (https:#a42378755)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Ransomware
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
This is true. Some places feel that users should be able to do whatever they need on their local machines. With the number of threats out there, an increasing number of people are realizing that the idea of least privilege actually helps keep networks more secure. In turn, more networks are utilizing this philosophy... however, getting there is never easy (it's harder to take away rights than to provide them). The less rights an account has, the less damage a compromised account can do to a network. Now, let's be honest: there are going to be times where exceptions to not granting local admin rights must be made, be it for reasons related to the type of user or the software that they utilize (a number of programs require admin rights to work properly).
There are times where this is necessary. It's not a good idea for there to be excessive admin accounts. Also not a good idea for people to have a domain admin account as their regular account.
A more appropriate wording would be a sservice account that has the rights that it needs on the local system(s).
Now that said, this is only a subset of what should be in place. User education on phishing and potentially malicious emails are very important as well. A good spam filter should be in place with your email. There should also be appropriate use and security policies in place as well. Within the scope of security policies would include password standards/requirements incident response, and disaster recovery. Backups are also very important, along with ensuring proper endpoint protection (malware, virus, etc.). Web monitoring and filtering are also very beneficial, as these are things that will help you track down problems if any occur. Also maintain as few remote access mechanisms as possible. Do not allow RDP directly into your network (an RD Web Gateway is acceptable).