The US Government reportedly has evidence that the Sony hack in November 2014 was carried out using stolen domain administrator credentials, and while at the time of writing there has been no official confirmation, it’s conceivable that this could be the case. Windows domain administrator credentials potentially allow an attacker to gain access to all servers in a domain, and although care must also be taken to protect server local administrator accounts, they provide an element of damage limitation by restricting access to individual servers.
Whether compromised administrator credentials turn out to be the way hackers gained entry to Sony’s systems or not, the misuse and proliferation of administrator accounts across most organization’s IT systems is a risk that can be significantly reduced by following a few simple best practices.
1. Isolate Domain Controllers
The servers that run Windows Active Directory are called domain controllers (DCs), and it’s critical that they are properly secured, both physically and logically. The first step to that goal is to make sure domain controllers don’t host workloads other than Active Directory. For example, a domain controller shouldn’t double up as a file or SQL database server for a line-of-business application. It’s also worth mentioning that domain controllers should be physically secured.
Beginning in Windows Server 2012, support for virtualization makes it easier to ensure that domain controllers don’t need to host other workloads. Domain controller isolation also allows for separation of administration duties, i.e. regular maintenance of servers not hosting Active Directory shouldn’t require domain administrator privileges, and along with delegation of control, DC isolation helps you to manage change on your systems.
2. Delegation of Control
Privileged accounts should never be used to log in to user workstations, and only be permitted for use on devices designated for administering sensitive systems. IT staff don’t need domain administrator accounts to perform regular tasks if you delegate rights. Start by configuring Active Directory so that a group other than Domain Admins is able to join computers to the domain, and follow that by devising a strategy to assign Remote Desktop access to a designated group.
Use the Delegation of Control Wizard in Windows Server to get started in assigning Active Directory access to IT staff, so they can perform daily administration tasks, such as user and group management. And while it’s not possible to completely remove the need to use domain administrator credentials, you can assign a restricted group of users the right to reboot domain controllers, set up event log forwarding, and configure Windows Update to minimize the frequency with which domain administration credentials are required.
3. Protected Users and Authentication Silos
The Protected Users group, in Windows Server 2012 and later, applies restrictions to user accounts that are designed to reduce the likelihood of compromise, including blocking the legacy NTLM authentication protocol, weak encryption in the Kerberos pre-authentication process, and Kerberos delegation.
Additionally, Windows Server 2012 R2 introduced authentication policies and silos, which can be used to restrict the devices from which users can authenticate. For example, you could create a policy and silo that prevent domain administrators authenticating from anything but domain controllers.