none
Securing Administrators RRS feed

  • Question

  • All,

    We have been asked to perform privilege access management.  One of our first requirements is to require MFA access for all console access, this is relatively simple.   But I am curious as to what steps others are implementing in regards to securing remote administration.  For example we do have a few applications which require domain administrative rights, and we have configured deny log on local and via rdp but what would prevent someone from running ADUC remotely with these credentials if they we acquired.  Are you stopping the Admin shares?

    Please share the steps you have taken.

    Thanks

    Paul


    Paul Glickenhaus

    Monday, June 26, 2017 6:57 PM

All replies

  • I typically implement privileged access/password management so that noone has the credentials and privileged accounts are securely managed with full audit trail capabilities. 

    I've previously used BeyondTrust and Thycotic.


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, June 27, 2017 5:26 AM
  • Hi,

    》》For example we do have a few applications which require domain administrative rights, and we have configured deny log on local and via rdp but what would prevent someone from running ADUC remotely with these credentials if they we acquired.  Are you stopping the Admin shares?

    Please share the steps you have taken.

    You could check this for your reference:

    Best practice for securing Active Directory

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, June 27, 2017 7:08 AM
    Moderator
  • We are using Thycotic for password management, but I am just looking at some of the back doors. For example we close the local and rdp logon but what about the shares or toold such as ADUC and sites and services if someone does compromise a protected account.

    Paul Glickenhaus

    Tuesday, June 27, 2017 2:49 PM
  • We are going through that doc as when as the domain hardening through Security Compliance Manager.  We did find some inconsistencies between the two.   The doc references disabling the local domain administrator account and setting up deny log on locally but that is never an option is SCM.  I also don't agree with that one since we actually needed the local domain account during a domain recovery.  Would you think that disabling the local admin account as a good best practice?

    Paul Glickenhaus

    Tuesday, June 27, 2017 2:55 PM
  • IMO the account should be renamed and disabled. Additionally consider implementing LAPS to manage the password, even though the account is disabled so the password is unique to each machine across your fleet. It's easy to identify a local admin account by its SID so best to have it not easily available.

    From memory, you can still login using built-in administrator from Safe Mode (in the event you need to) and re-enable it.


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, June 28, 2017 12:21 AM
  • Yes I understand that it should be disabled and can still log on locally.  Do you happen to know if you can still logon via RDP as such would be the case if the DC was in Azure or AWS which do not have local console login capabilities?  I am not even sure how you get safe mode on a cloud server.  ( will research that now.

    Paul Glickenhaus

    Wednesday, June 28, 2017 5:02 PM
  • Has anyone implemented MFA for RDP on servers?  What are your thoughts?  If we do this for users who have administrative access, has anyone implemented any measures in regards to preventing users from pivoting to others machines that may have access to while using remote administration tools?

    Thanks


    Paul Glickenhaus

    Wednesday, June 28, 2017 8:02 PM
  • I have a question in regards to the link provided.

    Appendix H: Securing Local Administrator Accounts and Groups

    On all versions of Windows currently in mainstream support, the local Administrator account is disabled by default, which makes the account unusable for pass-the-hash and other credential theft attacks

    I have built thousands of servers when physical, virtual, in azure and aws, not once have I ever seen the local administrator account disabled by default.

    Have you or anyone else see this occur? My only concern is that I am in the middle of a Internal Audit and they have referenced this document and I do believe I am going to have to provide a management response that this may actually be inaccurate.

    Thoughts?


    Paul Glickenhaus

    Friday, June 30, 2017 11:57 AM
  • Hi,

    >>Have you or anyone else see this occur? My only concern is that I am in the middle of a Internal Audit and they have referenced this document and I do believe I am going to have to provide a management response that this may actually be inaccurate.

    I have test in my lab.In win7 and win10,the local administrator is disabled by default.

    But in windows server 2012R2,it was not disabled by default.It seems only in windows client.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 3, 2017 3:01 AM
    Moderator