Hey everyone! I'm a network engineer working with a small team that manages around 200–300 servers. I noticed that everyone was using a single account that belonged to the Domain Admins group for their daily tasks, which raised some security concerns for me. So, I raised the issue and proposed some changes that I'd love to get feedback on.
I implemented the following changes:
1. Each admin now has two accounts: a standard domain user account and a domain admin account.
2. I set up Group Policies to deny RDP access for Domain Admins, Enterprise Admins, and Schema Admins on all servers.
3. I ensured Domain Admins aren't included in the policy that denies access to the network, allowing them to elevate privileges when needed.
4. I created a Remote Access group to allow RDP access, which includes the standard domain user accounts.
The challenge I'm currently facing is that some of our patch management tools, like Ivanti and PDQ, were initially running under our Domain Admin accounts. Now that those accounts are standard users, the tools are failing to work properly. My thought is to create dedicated service accounts with admin-level permissions for these tools. Would that work with the GPOs I've set up, or would I need to use the local admin account instead? I'd appreciate any insights or best practices!
3 Answers
It sounds like you're on the right track! In our experience, separating accounts is a best practice, especially for RDP access. It's essential to minimize privileges on day-to-day usage.
To reply to your challenge, creating service accounts should work, but you might want to check if your tools can use local service identities for better integration into your network environment. Keep in mind that local service accounts can run scans and jobs without needing domain privileges, which could work out well for your situation.
You also might consider using LAPS to manage local admin passwords effectively. It could help a lot!
In my opinion, blocking direct RDP access for admin accounts is a good practice, especially if you want to reduce potential attack vectors. However, I think it's important to ensure that admins can still elevate to admin rights efficiently.
If your team only works on servers and you have a management network that is somewhat restricted, you've created a good foundation for security. Just be vigilant about how those accounts are used and consider having some form of monitoring in place.
Yes, I've observed that elevating admin rights is useful. I’d advocate for monitoring just as you mentioned, especially as your team grows.
Absolutely! You can also restrict which admin accounts can perform certain actions, making it even safer.
Your approach looks solid! In our setup, we have a similar structure:
1. Each user has a regular account for day-to-day tasks and a separate server admin account for managing servers, which is only accessible from privileged access workstations (PAWs).
2. We've implemented strict GPO settings to prevent RDP access from non-PAW systems.
3. All accounts require multi-factor authentication for added security.
As for your current challenge with the patch management tools, creating dedicated service accounts sounds right. Just make sure those accounts are tied to the correct security groups you've configured in your GPO.
One resource I’d suggest looking at is the concept of Tier 0 assets in order to better protect your domain controllers and admin accounts.
That makes sense! I was also considering merging some of those accounts but maybe separating them sounds safer. Thanks for the input!
Totally agree! Protecting tier 0 assets is crucial, and tools like Bloodhound can help identify any vulnerabilities.
Great suggestion on local service identities! I hadn't thought about that approach, but it could simplify a lot of things.