Detection & Defences

• Do not allow or limit login of DAs to any other machine other than the Domain Controllers.

• If logins to some servers is necessary, do not allow other administrators to login to that machine.

  • Technical solutions available: Limit DA logons to workstations. D.A can change it back depending on organisations Change Mgmt Policy.

• Never run a service with a DA.

  • Many credential theft protections[Credential Guard,Protected Users Group, running LSASS as Protected process etc.] are rendered useless in case of a service account.

  • For services, credentials are stored in LSA secrets, which aren't looked after by these solutions.

• Providing Temporary DA privileges based on requirement.

  • Add-ADGroupMember-Identity‘Domain Admins’-MembersnewDA-MemberTimeToLive(New-TimeSpan-Minutes20)