ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Least Privilege Accounts Setup

    Scheduled Pinned Locked Moved IT Discussion
    securityactive directory
    18 Posts 6 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • black3dynamiteB
      black3dynamite @zachary715
      last edited by

      @zachary715 said in Least Privilege Accounts Setup:

      @dafyre said in Least Privilege Accounts Setup:

      @zachary715 said in Least Privilege Accounts Setup:

      One example: I'm currently working on a "remote" user in AD for when our plant manager and VP want to login remotely for various purposes such as accessing intranet, accessing file shares, or viewing some console stations.

      When accessing something like file shares, do you just give that "remote" user the minimal access for all the things they need to see while logging in remotely, or is there some way to have a mapped drive or network share shortcut prompt for credentials every time you want to access the share?

      If they are working remotely, why not just have them sign in as themselves? Seems like having a "remote" user is over kill.

      We've had this setup just for simplicity, but I see what you're saying. Even if I had them sign in individually though, how would you go about their access privileges? Create a local admin account on the machine that they can use for escalation when necessary? What sort of risks am I running into there?

      I sometimes have to add the AD User to the local Administrators group on their local computer. But

      Giving a user local administrator rights would encourage installing random applications and modifying services or access to local folders/files that requires admin rights.

      1 Reply Last reply Reply Quote 0
      • dafyreD
        dafyre @zachary715
        last edited by

        @zachary715 said in Least Privilege Accounts Setup:

        @dafyre said in Least Privilege Accounts Setup:

        @zachary715 said in Least Privilege Accounts Setup:

        One example: I'm currently working on a "remote" user in AD for when our plant manager and VP want to login remotely for various purposes such as accessing intranet, accessing file shares, or viewing some console stations.

        When accessing something like file shares, do you just give that "remote" user the minimal access for all the things they need to see while logging in remotely, or is there some way to have a mapped drive or network share shortcut prompt for credentials every time you want to access the share?

        If they are working remotely, why not just have them sign in as themselves? Seems like having a "remote" user is over kill.

        We've had this setup just for simplicity, but I see what you're saying. Even if I had them sign in individually though, how would you go about their access privileges? Create a local admin account on the machine that they can use for escalation when necessary? What sort of risks am I running into there?

        The same risks that you take when letting them run as a local admin already. This just adds an extra step for them to take before installing or uninstalling software.

        1 Reply Last reply Reply Quote 1
        • JaredBuschJ
          JaredBusch
          last edited by

          I create an AD account specifically for local admin rights.

          This account information is ususally given to department managers.
          So if software or something needs installed, and they choose not to contact me, they can.

          They are also warned that fixing something will be billed...

          zachary715Z 1 Reply Last reply Reply Quote 1
          • zachary715Z
            zachary715 @JaredBusch
            last edited by

            @jaredbusch said in Least Privilege Accounts Setup:

            I create an AD account specifically for local admin rights.

            This account information is ususally given to department managers.
            So if software or something needs installed, and they choose not to contact me, they can.

            They are also warned that fixing something will be billed...

            So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?

            JaredBuschJ 1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @zachary715
              last edited by

              @zachary715 said in Least Privilege Accounts Setup:

              @jaredbusch said in Least Privilege Accounts Setup:

              I create an AD account specifically for local admin rights.

              This account information is ususally given to department managers.
              So if software or something needs installed, and they choose not to contact me, they can.

              They are also warned that fixing something will be billed...

              So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?

              That account gets local admin rights only. No other access.

              JaredBuschJ 1 Reply Last reply Reply Quote 1
              • JaredBuschJ
                JaredBusch @JaredBusch
                last edited by JaredBusch

                @jaredbusch said in Least Privilege Accounts Setup:

                @zachary715 said in Least Privilege Accounts Setup:

                @jaredbusch said in Least Privilege Accounts Setup:

                I create an AD account specifically for local admin rights.

                This account information is ususally given to department managers.
                So if software or something needs installed, and they choose not to contact me, they can.

                They are also warned that fixing something will be billed...

                So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?

                That account gets local admin rights only. No other access.

                If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.

                zachary715Z 1 Reply Last reply Reply Quote 0
                • zachary715Z
                  zachary715 @JaredBusch
                  last edited by

                  @jaredbusch said in Least Privilege Accounts Setup:

                  @jaredbusch said in Least Privilege Accounts Setup:

                  @zachary715 said in Least Privilege Accounts Setup:

                  @jaredbusch said in Least Privilege Accounts Setup:

                  I create an AD account specifically for local admin rights.

                  This account information is ususally given to department managers.
                  So if software or something needs installed, and they choose not to contact me, they can.

                  They are also warned that fixing something will be billed...

                  So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?

                  That account gets local admin rights only. No other access.

                  If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.

                  Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time.

                  black3dynamiteB 1 Reply Last reply Reply Quote 1
                  • black3dynamiteB
                    black3dynamite @zachary715
                    last edited by

                    @zachary715 said in Least Privilege Accounts Setup:

                    @jaredbusch said in Least Privilege Accounts Setup:

                    @jaredbusch said in Least Privilege Accounts Setup:

                    @zachary715 said in Least Privilege Accounts Setup:

                    @jaredbusch said in Least Privilege Accounts Setup:

                    I create an AD account specifically for local admin rights.

                    This account information is ususally given to department managers.
                    So if software or something needs installed, and they choose not to contact me, they can.

                    They are also warned that fixing something will be billed...

                    So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?

                    That account gets local admin rights only. No other access.

                    If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.

                    Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time.

                    With the help of GPO Preferences, you could take advantage of using Item-level targeting for Local Users and Groups to fine tune who should have local admin privileges depending on the user, groups and/or computers.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • crustachioC
                      crustachio
                      last edited by crustachio

                      You don't want them sharing a single login account -- think about auditing, credential management, etc. IMO a domain level group with local admin permissions is the way to go:

                      • Create a Workstation Admins group in AD and apply it to all domain PCs (not servers) using Group Policy
                        • Edit the policy's Computer Configuration to add the Administrators (Built In) permission to this group
                      • Add your privileged users who need local admin rights to that group, as well as any other group(s) necessary for secured remote access.
                        • If their access privileges change in the future you can easily remove them from the Workstation Admins group without needing to touch each PC's Local Users & Groups configuration.
                        • You could optionally create multiple Workstation Admin groups for different departments (WksAdmin_Sales, WksAdmin_HR) and apply them to the appropriate sub-OUs, so you don't give carte blanche access to all domain PCs for all privileged users.

                      Details on this setup: Manage Workstations Without Domain Admin Rights

                      As for the bigger picture question about least privileged account best practices, consider reviewing Microsoft's current best practices, called tiered administration.

                      In depth MS blog on the topic: Securing Privileged Access for the AD Admin – Part 1

                      JaredBuschJ 1 Reply Last reply Reply Quote 4
                      • JaredBuschJ
                        JaredBusch @crustachio
                        last edited by

                        @crustachio said in Least Privilege Accounts Setup:

                        You don't want them sharing a single login account -- think about auditing, credential management, etc.

                        While true, it is a simplification for the SMB with no on site IT staff.

                        @crustachio said in Least Privilege Accounts Setup:

                        IMO a domain level group with local admin permissions is the way to go:

                        But you never want the user's AD account in the local admin group, ever. Because that negates the protections and allows a user to simply click "Yes" to a UAC prompt.

                        You want them to be forced to use a different account so that they can never just click "Yes" to a prompt and grant admin rights. That is why I made the compromise of a single AD account for the SMB like I mentioned. Otherwise you are managing tens (or more) of duplicate accounts for local admin rights.

                        1 Reply Last reply Reply Quote 1
                        • DashrenderD
                          Dashrender @black3dynamite
                          last edited by

                          @black3dynamite said in Least Privilege Accounts Setup:

                          @zachary715 said in Least Privilege Accounts Setup:

                          @jaredbusch said in Least Privilege Accounts Setup:

                          @jaredbusch said in Least Privilege Accounts Setup:

                          @zachary715 said in Least Privilege Accounts Setup:

                          @jaredbusch said in Least Privilege Accounts Setup:

                          I create an AD account specifically for local admin rights.

                          This account information is ususally given to department managers.
                          So if software or something needs installed, and they choose not to contact me, they can.

                          They are also warned that fixing something will be billed...

                          So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?

                          That account gets local admin rights only. No other access.

                          If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.

                          Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time.

                          With the help of GPO Preferences, you could take advantage of using Item-level targeting for Local Users and Groups to fine tune who should have local admin privileges depending on the user, groups and/or computers.

                          This is what I do. Works like a champ.

                          1 Reply Last reply Reply Quote 0
                          • 1 / 1
                          • First post
                            Last post