Best Practises
Detection & Defences
Do not allow or limit login of DAs to any other machine other than the Domain Controllers.
If logins to some servers is necessary, do not allow other administrators to login to that machine.
Technical solutions available: Limit DA logons to workstations. D.A can change it back depending on organisations Change Mgmt Policy.
Never run a service with a DA.
Many credential theft protections[Credential Guard,Protected Users Group, running LSASS as Protected process etc.] are rendered useless in case of a service account.
For services, credentials are stored in LSA secrets, which aren't looked after by these solutions.
Providing Temporary DA privileges based on requirement.
Add-ADGroupMember-Identity‘Domain Admins’-MembersnewDA-MemberTimeToLive(New-TimeSpan-Minutes20)
Last updated