Active Directory Administrator Security Best Practices

by | Jun 30, 2020 | ZAG Standards

While we could write entire volumes on the best practices to follow within your Active Directory environment, this article will cover key adjustments you can apply now. Most of these center around administrative rights because these are the keys to the kingdom. Depending on the type of administrator, these accounts can allow access to a full computer or every computer on every domain within your entire network.

Rename local administrator accounts

Clearly, these accounts should be safeguarded as much as possible. How then, should you start? One of the first things to do is rename the local administrator accounts; these are builtin accounts, and every system has them. There is no point in making things easy for a would-be cybercriminal by leaving these accounts with the default name.

To start, change the name of the default administrator account in the domain and then on local systems using a Group Policy Object (GPO). Once you have done this, where possible, disable the local administrator account and replace it since these accounts have a well-known Security Identifier (SID) that hackers can attempt to exploit (even if these accounts are renamed). Consider blocking the logons for these old accounts from interactive, service, and batch job logons as well as implementing logging and alerting for changes to these sensitive accounts.

Take care when adding accounts to high privilege groups

Secondly, be judicious when adding accounts to high privilege groups. Always question your assumptions before adding users to a privileged group – it is easier than having to undo intentional or unintentional damage later. Try to keep the memberships of groups such as Domain Admins, Enterprise Admins, and Schema Admins to a minimum. Schedule a regular review (at least quarterly) to go over and adjust these lists as appropriate. Similarly, review who has local Administrator rights at least on sensitive systems and preferably all systems; you can manage this and automate it via GPO.

Create tiered administrator accounts

Finally, create tiered administrator accounts. Even in a smaller environment, this can help limit the damage caused by a single compromised account. Use tiers as appropriate to constrain an account to a specific set of tasks; your everyday user account should not be an administrator of anything. When installing an application with your user account, ideally you should be prompted for a username and password with the appropriate rights to continue. This can help protect your account from inadvertently installing a piece of spyware or malware because it lacks sufficient rights, and at the same time, may also prevent a compromised administrator account from being able to read all your stored passwords and financial data.

As an environment grows in complexity, add more tiers as appropriate. For a few PCs in a small office with no servers, user accounts and Workstation Administrators may be sufficient. If you add a file server, consider creating server administrator accounts separate from the workstation admins. Grown large enough to need a domain? Use a separate domain administrator account for situations that require the corresponding level of access. Big enough to have a highly complex or highly secure forest? You may even want to consider adding additional tiers such as accounts for Enterprise Administrators or Schema Administrators.

The concept is thus: Use two tiers at minimum to separate the administrative rights from the everyday user tasks. Use as many tiers as is appropriate for your security requirements and never use an account with more permissions than needed to perform the task at hand if you can avoid it. Each tier should theoretically be smaller than the tier below it, but as a hierarchy some account types (such as server administrators and workstation administrators) may be at roughly the same level and represent the same group of people. This is fine. Resist the temptation to combine these accounts for the sake of simplicity when there is a greater likelihood of one of these accounts being potentially compromised over the other (as is the case with workstation accounts that may come in contact with the occasional infected system).

By implementing these basic best practices, you will have accomplished a lot on your way towards significantly and substantially reducing your risk of introducing unwanted chaos into your network in the form of malware, compromise, and other cyber nuisances.

If you liked this post, you might enjoy our posts on managing local admin account passwords, and cleaning stale data in Active Directory.

Related Content