Controlled use of admin level permissions

We are trying to ensure the company has controlled use of admin permissions. Aside from the obvious 'domain admins' and 'enterprise admins' in AD are there any other admin rights you would suggest to focus upon in a network primarily comprised of microsoft OS and server apps.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dfkeCommented:
HI,

Administrator accounts should be regularly audited – this should include a password change, and confirmation of who has access to these accounts.

It is considered to be a good idea to disable the default built-in Administrator account and create another Administrator account with a different name. For example, NetworkAdmin.

On a typical Windows network, there are several Security Groups that have high levels of access to various parts of the network. These groups should be audited regularly to ensure that there are no normal users as members, only Administrators. The default groups are:

  • Administrators

  • Domain Admins

  • Schema Admins

  • Enterprise Admins

Note that there may be other groups with high levels of access that have been manually created. These should be documented and added to the auditing process.

Service Accounts

Furthermore there is another type of user account that has special access to parts of your network – the Service Account.

Service Accounts are user accounts that are used by software (normally on a server) to carry out automated scheduled tasks such as running backups, or managing your anti-virus administration. These services should never be set up to use Administrator account credentials – there should be at least one dedicated Service Account on your network.

Domain Guest Accounts

Windows has a default guest account called Guest. These guest accounts are the first port of call for criminal hackers wanting to knock at your doorstep and should be immediately and permanently disabled. If a guest account is required, it should not have an obvious name such as Guest.

Domain User Accounts

In some cases, it is necessary to grant special or administrative permissions to users. This should be restricted to Local Admin access (they are Administrators only on their own computers, and not on the Domain).

Local Accounts

These are similar to Domain accounts, but are limited to local access only. Local access can be to a computer or a server. Local accounts can be Administrator accounts, normal user accounts, and Guest accounts. The built-in Administrator and Guest user accounts should always be disabled on workstations, and the built-in Guest user accounts should always be disabled on servers.

Local Groups

On computers and servers, there is a default Security Group called Administrators. Membership of this group should be limited to the domain group Domain Admins.


Cheers
arnoldCommented:
Domain admins, enterprise admins are overarching ...
There are other security groups that authorize member of the group with soecifuc right.
Printer, server operators. Certain permissions can be delegated.
Backup, schema etc.


Dfke in a way covered some, defining what you are after I.e. If many have access to the login info of the domain admin, enterprise admin account, auditing will mean nothing as you would have to identify which user used those credentials.

using account that can not be used for login, but could be used to elevate rights will ties the user logged in when the rights are elevated to perform a task.
pma111Author Commented:
>There are other security groups that authorize member of the group with soecifuc right.

Could you give a little more info on this please?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

arnoldCommented:
Please see the MS AD existing group breakdown:
https://technet.microsoft.com/en-us/library/cc700835.aspx

It provides scenarios/examples that may help
Naveen SharmaCommented:
Controlling Privileges of the Administrator Accounts:
http://techgenix.com/controlling-privileges-administrator-accounts/

Implementing Least Privilege Security:
https://www.lepide.com/blog/implementing-least-privilege-security/
Shaun VermaakTechnical SpecialistCommented:
You would be surprised how many people have admin rights. Manage theses via this article or use a tool called BloodHound. Implement a proper delegation model
https://www.experts-exchange.com/articles/29652/Strategy-to-centrally-manage-Local-Administrators-group-from-Active-Directory.html
https://github.com/BloodHoundAD/BloodHound
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html

Protect you builtin administrators group and the "Allow to replicate" permission because it can be used to export hashes
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html

You can also isolate tiers to prevent leakage of password hashes
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html

and if vendor request admin, rather give them a global admin
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html

Ensure your local admins on devices are secure and changed regularly
https://www.experts-exchange.com/articles/31583/Active-Directory-Securely-Set-Local-Account-Passwords.html
https://www.experts-exchange.com/articles/30617/How-to-manage-local-account-passwords-from-Active-Directory-without-LAPS.html
or with LAPS
https://technet.microsoft.com/en-us/mt227395.aspx

You mention network in your question... Always have a host-based firewall. Windows firewall is pretty decent
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.