The Importance of Limiting Domain Admin Groups

by | Dec 8, 2020 | Security

When it comes to IT security, it is hard to understate the importance of limiting the use of the Domain Admins group.  This is a key practice to reduce the attack surface of your network.  When you know attacks will inevitably come, you want the impact to be as minimal as possible. 

The Domain Admins group has Local Admin rights on every domainjoined server and PC in most configurations.  Once a PC is compromised, a malicious actor can compromise a whole network – if Domain Administrator access is stolen.  Here’s how to protect that precious and all-too-powerful Domain Admins group. 

Step 1

When an account needs Domain Admin access, it’s recommended to put it in the Domain Admins group just for a limited window of time.  And once the work is complete, that user account should be removed from the Domain Admins group. 

Conducting work daily with an account that has permanent Domain Admin privileges may be tempting fate, at best.  A compromise of that account would be the pot of gold at the end of the rainbow for an attacker. 

Step 2

It is recommended for IT Admins to have two Windows accounts.  One for everyday non-admin use, and another account for temporary Domain Admins group access.  Workers should only use an account with the least amount of access and privilege possible to get their work done.  Customizing an account to have a limited number of functions greatly reduces that attack surface, which means limiting the impact to your business in the event of a compromise. 

Additionally, admins can use additional accounts for server administration and network device administration, etc.  And wherever possible, remove the need to share a domain admin password.  When an IT Administrator leaves the company, no one enjoys that password change process.   

Step 3

Be sure to clean up old User and Computer accounts.  You can run reports to see which accounts haven’t been used in a while.  A stale admin account lingering in AD would be like leaving your front door open.  These accounts could be discovered and used by an attacker if not recognized and disabled by IT staff first. 

These are just a few of the ways to decrease the impact to your business from the malicious use of Windows account privileges.  Implementing least-privilege administrative models will help to ensure that only authorized users and specific tasks are using the precious Domain Admins group. 

If you have questions about how you can better protect your network, give us a call at 630.832.0075 or send an email to info@peters.com to get started! Peters & Associates engineers are dedicated to securing your network; with 24/7 monitoring and support, our Managed Services and PULSE Alarm will never leave you guessing.