How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.
Securing machines on a domain from malware/ransomware
Hi
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Compromising of credentials stored in memory via LSASS seems pretty easy
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
What are your thoughts on this?
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Compromising of credentials stored in memory via LSASS seems pretty easy
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
What are your thoughts on this?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access)I wouldn't say most, just some. An increasing number are doing this. Yet conversely, I still see a number of networks where this doesn't hold true.
.. but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.This is true. Some places feel that users should be able to do whatever they need on their local machines. With the number of threats out there, an increasing number of people are realizing that the idea of least privilege actually helps keep networks more secure. In turn, more networks are utilizing this philosophy... however, getting there is never easy (it's harder to take away rights than to provide them). The less rights an account has, the less damage a compromised account can do to a network. Now, let's be honest: there are going to be times where exceptions to not granting local admin rights must be made, be it for reasons related to the type of user or the software that they utilize (a number of programs require admin rights to work properly).
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstationThere are times where this is necessary. It's not a good idea for there to be excessive admin accounts. Also not a good idea for people to have a domain admin account as their regular account.
... it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)A more appropriate wording would be a sservice account that has the rights that it needs on the local system(s).
Now that said, this is only a subset of what should be in place. User education on phishing and potentially malicious emails are very important as well. A good spam filter should be in place with your email. There should also be appropriate use and security policies in place as well. Within the scope of security policies would include password standards/requirements incident response, and disaster recovery. Backups are also very important, along with ensuring proper endpoint protection (malware, virus, etc.). Web monitoring and filtering are also very beneficial, as these are things that will help you track down problems if any occur. Also maintain as few remote access mechanisms as possible. Do not allow RDP directly into your network (an RD Web Gateway is acceptable).
Hi Mystical_Ice.
Those are all valid concerns. That you ask for opinions, suggests that you are at the very beginning of tightening security by adopting known best practices. I strongly suggest to split this question into at least three separate ones, so the discussion will be more focused and the advice given can be more precise.
->support account usage
->service account usage (maybe together with the 1st as one question)
->general malware/ransomware prevention
->firewall usage (prevention of spreading out)
Those are all valid concerns. That you ask for opinions, suggests that you are at the very beginning of tightening security by adopting known best practices. I strongly suggest to split this question into at least three separate ones, so the discussion will be more focused and the advice given can be more precise.
->support account usage
->service account usage (maybe together with the 1st as one question)
->general malware/ransomware prevention
->firewall usage (prevention of spreading out)
Simple things you can do to protect against ransomware attacks:
Good password policy
Update regularly
Securing the router
Proper backing up of data
Educating the employees
Breach response
Installing centralized firewalls
Encrypted transmission
Antivirus software
Proactive and continuous auditing
Ways to Protect yourself from Ransomware Attack
Prevent Ransomware attacks by disabling SMB:
https://www.lepide.com/blog/prevent-petya-and-other-ransomware-attacks-by-disabling-smbv1/
Good password policy
Update regularly
Securing the router
Proper backing up of data
Educating the employees
Breach response
Installing centralized firewalls
Encrypted transmission
Antivirus software
Proactive and continuous auditing
Ways to Protect yourself from Ransomware Attack
Prevent Ransomware attacks by disabling SMB:
https://www.lepide.com/blog/prevent-petya-and-other-ransomware-attacks-by-disabling-smbv1/
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstationNever required and should not be done ever
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)Never give DA/EA to service accounts. Always delegate proper rights
What is the best situation for an admin that needs to access a user's machine to perform an advanced function (such as join it to the domain initially, install an application, etc)?
It's hard for me to follow what you are at. I can only repeat what I said before. Too many topics for just one question. Split it. Reduce this to one question and ask several new questions.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- masnrock (https:#a42377847)
-- McKnife (https:#a42377904)
-- Ajit Singh (https:#a42378047)
-- Shaun Vermaak (https:#a42378755)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- masnrock (https:#a42377847)
-- McKnife (https:#a42377904)
-- Ajit Singh (https:#a42378047)
-- Shaun Vermaak (https:#a42378755)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
Premium Content
You need an Expert Office subscription to comment.Start Free Trial