Best Practises

Detection & Defences

  • Do not allow or limit login of DAs to any other machine other than the Domain Controllers.

  • If logins to some servers is necessary, do not allow other administrators to login to that machine.

    • Technical solutions available: Limit DA logons to workstations. D.A can change it back depending on organisations Change Mgmt Policy.

  • Never run a service with a DA.

    • Many credential theft protections[Credential Guard,Protected Users Group, running LSASS as Protected process etc.] are rendered useless in case of a service account.

    • For services, credentials are stored in LSA secrets, which aren't looked after by these solutions.

  • Providing Temporary DA privileges based on requirement.

    • Add-ADGroupMember-Identity‘Domain Admins’-MembersnewDA-MemberTimeToLive(New-TimeSpan-Minutes20)

Last updated