Least Privilege Accounts Setup
-
I came into my current role a few years back after being under a supervisor who did things... less than best practice. I fixed a lot of the things I knew he had done wrong and have tried to go beyond that, but one thing I can't get my head around is using Least Privilege accounts and Service Accounts effectively.
So out of about 45 users I oversee, probably 10-15 are local admins on their machines. I've slowly been dwindling this down, but I do still have issues with higher-ups who may need some admin access for software or otherwise from time to time where I'm not always available to provide a password.
Question: How do YOU go about implementing Least Privilege accounts with Windows AD environment? Especially for a user who may need admin access from time to time therefore you want them to have it for when they need it.
On I believe a similar note, when we install server software and it asks for service credentials, I've always used administrator in the past out of ignorance. I understand now that this is inaccurate, but how should I resolve this? For example, our backup software software runs as admin. Do I create a new "backupuser" with a strong password and change all the services to point to it? What permissions within AD do I then give it to have the necessary access rights?
Hopefully I'm being clear here and some of you can enlighten me.
-
One example: I'm currently working on a "remote" user in AD for when our plant manager and VP want to login remotely for various purposes such as accessing intranet, accessing file shares, or viewing some console stations.
When accessing something like file shares, do you just give that "remote" user the minimal access for all the things they need to see while logging in remotely, or is there some way to have a mapped drive or network share shortcut prompt for credentials every time you want to access the share?
What I have setup is the Windows login user is "remote" with standard access privileges. I have then gone into computer management and added these two managers' AD accounts to the local Admins group so that if they need to escalate for whatever reason, they can enter their credentials and do so.
How would you do this differently?
-
@zachary715 said in Least Privilege Accounts Setup:
One example: I'm currently working on a "remote" user in AD for when our plant manager and VP want to login remotely for various purposes such as accessing intranet, accessing file shares, or viewing some console stations.
When accessing something like file shares, do you just give that "remote" user the minimal access for all the things they need to see while logging in remotely, or is there some way to have a mapped drive or network share shortcut prompt for credentials every time you want to access the share?
If they are working remotely, why not just have them sign in as themselves? Seems like having a "remote" user is over kill.
-
@zachary715 said in Least Privilege Accounts Setup:
Question: How do YOU go about implementing Least Privilege accounts with Windows AD environment? Especially for a user who may need admin access from time to time therefore you want them to have it for when they need it.
For this, you could have them use their every day AD account as usual. If they need to escalate or run as admin, you could let them use normaluser_admin or something like that to escalate. Obviously, I wouldn't do that for all users.
-
Its easier to manage access to file shares using a role-based access control.
Try to avoid adding the user directly on the shares permissions or NTFS permissions. Use groups for that.
-
@dafyre said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
One example: I'm currently working on a "remote" user in AD for when our plant manager and VP want to login remotely for various purposes such as accessing intranet, accessing file shares, or viewing some console stations.
When accessing something like file shares, do you just give that "remote" user the minimal access for all the things they need to see while logging in remotely, or is there some way to have a mapped drive or network share shortcut prompt for credentials every time you want to access the share?
If they are working remotely, why not just have them sign in as themselves? Seems like having a "remote" user is over kill.
We've had this setup just for simplicity, but I see what you're saying. Even if I had them sign in individually though, how would you go about their access privileges? Create a local admin account on the machine that they can use for escalation when necessary? What sort of risks am I running into there?
-
@black3dynamite said in Least Privilege Accounts Setup:
Its easier to manage access to file shares using a role-based access control.
Try to avoid adding the user directly on the shares permissions or NTFS permissions. Use groups for that.
Yes I do this as much as possible already.
-
@zachary715 said in Least Privilege Accounts Setup:
@dafyre said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
One example: I'm currently working on a "remote" user in AD for when our plant manager and VP want to login remotely for various purposes such as accessing intranet, accessing file shares, or viewing some console stations.
When accessing something like file shares, do you just give that "remote" user the minimal access for all the things they need to see while logging in remotely, or is there some way to have a mapped drive or network share shortcut prompt for credentials every time you want to access the share?
If they are working remotely, why not just have them sign in as themselves? Seems like having a "remote" user is over kill.
We've had this setup just for simplicity, but I see what you're saying. Even if I had them sign in individually though, how would you go about their access privileges? Create a local admin account on the machine that they can use for escalation when necessary? What sort of risks am I running into there?
I sometimes have to add the AD User to the local Administrators group on their local computer. But
Giving a user local administrator rights would encourage installing random applications and modifying services or access to local folders/files that requires admin rights.
-
@zachary715 said in Least Privilege Accounts Setup:
@dafyre said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
One example: I'm currently working on a "remote" user in AD for when our plant manager and VP want to login remotely for various purposes such as accessing intranet, accessing file shares, or viewing some console stations.
When accessing something like file shares, do you just give that "remote" user the minimal access for all the things they need to see while logging in remotely, or is there some way to have a mapped drive or network share shortcut prompt for credentials every time you want to access the share?
If they are working remotely, why not just have them sign in as themselves? Seems like having a "remote" user is over kill.
We've had this setup just for simplicity, but I see what you're saying. Even if I had them sign in individually though, how would you go about their access privileges? Create a local admin account on the machine that they can use for escalation when necessary? What sort of risks am I running into there?
The same risks that you take when letting them run as a local admin already. This just adds an extra step for them to take before installing or uninstalling software.
-
I create an AD account specifically for local admin rights.
This account information is ususally given to department managers.
So if software or something needs installed, and they choose not to contact me, they can.They are also warned that fixing something will be billed...
-
@jaredbusch said in Least Privilege Accounts Setup:
I create an AD account specifically for local admin rights.
This account information is ususally given to department managers.
So if software or something needs installed, and they choose not to contact me, they can.They are also warned that fixing something will be billed...
So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?
-
@zachary715 said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
I create an AD account specifically for local admin rights.
This account information is ususally given to department managers.
So if software or something needs installed, and they choose not to contact me, they can.They are also warned that fixing something will be billed...
So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?
That account gets local admin rights only. No other access.
-
@jaredbusch said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
I create an AD account specifically for local admin rights.
This account information is ususally given to department managers.
So if software or something needs installed, and they choose not to contact me, they can.They are also warned that fixing something will be billed...
So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?
That account gets local admin rights only. No other access.
If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.
-
@jaredbusch said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
I create an AD account specifically for local admin rights.
This account information is ususally given to department managers.
So if software or something needs installed, and they choose not to contact me, they can.They are also warned that fixing something will be billed...
So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?
That account gets local admin rights only. No other access.
If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.
Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time.
-
@zachary715 said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
I create an AD account specifically for local admin rights.
This account information is ususally given to department managers.
So if software or something needs installed, and they choose not to contact me, they can.They are also warned that fixing something will be billed...
So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?
That account gets local admin rights only. No other access.
If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.
Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time.
With the help of GPO Preferences, you could take advantage of using Item-level targeting for Local Users and Groups to fine tune who should have local admin privileges depending on the user, groups and/or computers.
-
You don't want them sharing a single login account -- think about auditing, credential management, etc. IMO a domain level group with local admin permissions is the way to go:
- Create a Workstation Admins group in AD and apply it to all domain PCs (not servers) using Group Policy
- Edit the policy's Computer Configuration to add the Administrators (Built In) permission to this group
- Add your privileged users who need local admin rights to that group, as well as any other group(s) necessary for secured remote access.
- If their access privileges change in the future you can easily remove them from the Workstation Admins group without needing to touch each PC's Local Users & Groups configuration.
- You could optionally create multiple Workstation Admin groups for different departments (WksAdmin_Sales, WksAdmin_HR) and apply them to the appropriate sub-OUs, so you don't give carte blanche access to all domain PCs for all privileged users.
Details on this setup: Manage Workstations Without Domain Admin Rights
As for the bigger picture question about least privileged account best practices, consider reviewing Microsoft's current best practices, called tiered administration.
In depth MS blog on the topic: Securing Privileged Access for the AD Admin – Part 1
- Create a Workstation Admins group in AD and apply it to all domain PCs (not servers) using Group Policy
-
@crustachio said in Least Privilege Accounts Setup:
You don't want them sharing a single login account -- think about auditing, credential management, etc.
While true, it is a simplification for the SMB with no on site IT staff.
@crustachio said in Least Privilege Accounts Setup:
IMO a domain level group with local admin permissions is the way to go:
But you never want the user's AD account in the local admin group, ever. Because that negates the protections and allows a user to simply click "Yes" to a UAC prompt.
You want them to be forced to use a different account so that they can never just click "Yes" to a prompt and grant admin rights. That is why I made the compromise of a single AD account for the SMB like I mentioned. Otherwise you are managing tens (or more) of duplicate accounts for local admin rights.
-
@black3dynamite said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
@zachary715 said in Least Privilege Accounts Setup:
@jaredbusch said in Least Privilege Accounts Setup:
I create an AD account specifically for local admin rights.
This account information is ususally given to department managers.
So if software or something needs installed, and they choose not to contact me, they can.They are also warned that fixing something will be billed...
So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself?
That account gets local admin rights only. No other access.
If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods.
Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time.
With the help of GPO Preferences, you could take advantage of using Item-level targeting for Local Users and Groups to fine tune who should have local admin privileges depending on the user, groups and/or computers.
This is what I do. Works like a champ.
