Mystical_Ice
asked on
Securing machines on a domain from malware/ransomware
Hi
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Compromising of credentials stored in memory via LSASS seems pretty easy
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
What are your thoughts on this?
Wanted to open this discussion - to prevent a ransomware attack or malware from spreading across a network
Seems most SMB networks have domain admins (most of which have separate accounts, so the domain admins don't log into a computer with the domain admin account unless performing some sort of work that requires domain admin access), but I've seen a lot of networks where the domain user that logs onto a particular machine is given local admin rights on that machine.
Also have heard it's not a good idea for a domain admin account to ever log onto a user's workstation
Compromising of credentials stored in memory via LSASS seems pretty easy
As far as how many users have domain admin rights, this seems pretty straightforward; that the fewer domain admins the better, and instead of automatically creating a domain admin account any time a service account is required, it would be better for a service account to use a regular domain user account, but one that's local admin on the server it needs (rather than a full out domain admin account)
What are your thoughts on this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Including an initial account for the build process
It's hard for me to follow what you are at. I can only repeat what I said before. Too many topics for just one question. Split it. Reduce this to one question and ask several new questions.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- masnrock (https:#a42377847)
-- McKnife (https:#a42377904)
-- Ajit Singh (https:#a42378047)
-- Shaun Vermaak (https:#a42378755)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- masnrock (https:#a42377847)
-- McKnife (https:#a42377904)
-- Ajit Singh (https:#a42378047)
-- Shaun Vermaak (https:#a42378755)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
ASKER