There can be multiple reasons as to why one might feel the need of delegating their Admin Privileges through Active Directory to other standard users such as for installing updates or maintenance of already installed programs. However recent studies have revealed that most of the security breaches find their source in privileged user accounts. It is hence imperative that the accounts with Admin Privileges are well guarded and there are certain parameters you can implement while assigning Admin Privileges using Active Directory.
Never Add Users to the Domain Admin Group
If administrative privileges need to be delegated to other standard users, there is no need of registering the members to the Domain Admins Group. You can give the details of the shared privileged accounts or you can simply make these standard users the Administrators. It is prudent to do work using domain that has the least privilege policy for instance one or two Domain Administrators etc.
If any user requires administrative privileges to accomplish particular tasks, you can even assign your Admin Privileges temporarily for a defined span of time but keep a reminder for revoking these privileges when the task is finished.
All Network Admins must define a pro-active and constant process for auditing and keeping tabs on privileged user accounts –whether it is native auditing such as power shell scripts or through automatic solutions. If you do this you can keep an eye on all the standard users that have been assigned administrative privileges along with the time span that they have used these privileges for and the day where their privileges have to be revoked.
Of course it is also equally important to keep an eye on the changes and modifications that are made by these privileged accounts; you must access the logon and logoff events of all of these users and make a note of any anomaly.
The passwords for all the privileged accounts must be changed every month or fortnight either it can be done manually by keeping reminders on the date due for password change or by any automatic process. You can also opt for one-time passwords for those who are being given temporary admin privileged. Remember to never keep the passwords that are “never expire passwords” on such privileged Accounts.
Backup and Recovery Plan
You must remember to make regular backups of all the data in the Active Directory. Apart from these backups for the operating system, you should also come up with an easy process for restoring this data or any changes. You can make use of a simple native process or use any easy third-party solution. It is wise to set up a method that can restore multiple kinds of data within seconds.
Deal with all the Obsolete Accounts
You must conduct a once in a month analysis of all the obsolete accounts which have been inactive for at least 15 day. All such accounts must be disabled and transferred to another unit which can manage them. However when these accounts have been inactive for 45 to 90 days, they must be deleted for good because these can be used for cyber crimes later on.
Recording of Sessions
For further strengthening the security measure of Active Directory you can monitory the activity session of all privileged accounts each time they sign in to do any task.
Manage the Embedded Credentials
The login details of any administrator or the associated privileged account must kept saved under protected scripts or on other service accounts. All these passwords must be checked frequently and changed on a daily basis. If you are on any automatic system then these passwords will change on their own after a set time but when this happens there must also be a way to update these in the scripts and service accounts as well.
If you are still not satisfied with the Active Directory measures then you can add an extra layer for security which will allow the user to use certain components of the server without revealing to them the passwords or showing them any sensitive data.
There are many steps that an administrator can take to minimize the risk factors that are generated as a result of delegating administrative privileges to other standard users; either by native processes or by using any third-party solutions.
Native methods don’t modify anything in the auditing configuration but keeping tabs on the activity of all users can be technical. Because of this many people like using the third-party solutions such as Lepide Auditor Suite which simplifies this task by giving a pro-active and an automated source of monitoring the activity sessions of privileged users.