Reducing the Attack Surface of the Administrator Account
I have seen a new trend coming to the corporate network. Network administrators want to limit what the "administrator" accounts can do in the environment. Not only the Administrators from Active Directory, but those that reside on desktops and servers throughout the enterprise. There are plenty of configurations that can be made to help protect and limit the Administrator accounts. However, it is important to understand what can be done, what the configurations mean, and what cannot be done when it comes to the Administrator accounts throughout your organization. Here, we will answer all of these questions to ensure that you can make the appropriate configurations, as well as know what exposures you might be leaving open.
Where are the Administrator Accounts?
Before we can start to limit the Administrator accounts on your network, it is important to understand where they are and what privileges they have. We will first start by looking at the desktops and servers in your organization. All Windows computers have a local Administrator account configured at installation. This Administrator account is the highest level account that you have on each of these computers. The Administrator account has membership in the local Administrators group, granting the account ultimate control over that computer.
There are also Administrator accounts configured in Active Directory. The first domain that is configured in your Active Directory enterprise has a special Administrator account. The reason it is special is due to the groups that it has membership in. This initial Administrator account has membership in the following key security groups:
The initial domain contains both the Enterprise Admins and Schema Admins groups, where subsequent domains in the forest do not. Each additional domain will have an Administrator account having membership in the Domain Admins and Administrators groups.
What the Administrators Can Do
Now that we know where these Administrator accounts reside, what can they do? The local Administrator accounts have full control access to all aspects of the computer where they are located. This means that they can modify any resource on that computer, including: services, accounts, resources, applications, and all files stored on the computer.
The Administrator accounts that are in Active Directory have the same power, plus so much more. Since these accounts have control at the domain or higher level, they not only control services, accounts, resources, applications, and files stored on the domain controllers, but ANY computer in their respective domain. The Administrator located in the initial domain of the Active Directory forest has this power over every single computer in the entire forest. Yes, the Enterprise Admins has control over every aspect of the forest.
Controlling the Administrator Accounts
As you can see, the Administrator accounts have a lot of power. So much power, you need to protect the account. You have many options to help reduce the risks associated with having the Administrator account compromised or attacked. These suggestions might seem like extra work, inefficient methods, or concepts that might make you less productive. When considering any security concept, you will have these battles. Security is not easy, nor is it efficient. If it were, we would have ultra secure systems already. With that rambling out of the way, what options do you have to protect these Administrator accounts in your environment?
First, do not use the Administrator accounts. These accounts should only be used to establish the environment initially, after which you need to place a "normal user account" into the Administrators or one of the various Admins groups. This will accomplish the same result, without needing to use the "true Administrator account."
Second, do not use the "normal user account" that was placed in the Administrators or one of the various Admins groups for routine and standard user tasks. Checking email, writing memos, documentation, etc. should be done with a standard user account, not an admin type account. This requires that there are dual accounts for administrators. An alternate solution to this is to use Vista with User Account Control (UAC) enabled. UAC is an ideal technology to solve this problem.
Third, disable the Administrator account. Yes, it is now possible to disable the Administrator account. It was only with Windows XP and Server 2003 that you could do this. It is a setting in a Group Policy Object, as shown in Figure 1.
Figure 1: Within a Group Policy Object, you can disable any Administrator account
I will give you a few warnings before you disable this account. First, you need to make sure you create another "Admin" account before you disable this one. If you do not, you will lock yourself out of the system to create another administrator type account. Second, you need to consider what this will do to your disaster recovery plans. Without the Administrator account you might not be able to gain access to certain files, services, and disaster recovery tools (IE. Active Directory Recovery).
Fourth, establish Active Directory and Group Policy delegation instead of just throwing user accounts into the Domain Admins group. In most instances, you can use the delegation tools and techniques to give administrators control over Active Directory and Group Policy. Figure 2 and 3 show you the interfaces for both areas of delegated control.
Figure 2: Active Directory delegation
Figure 3: Group Policy delegation
Fifth, you should enable auditing on resources where administrators do not have access, and should not grant themselves access. What this will do is help protect assets where the administrators should not have direct access.This might be an excellent solution for files related to HR, finance, executives, corporate stock, etc. Remember what we discussed earlier regarding the various Administrator accounts and their access. Even though an Administrator is not listed on a resource does not mean they cannot add themselves! You can enable auditing on any computer using Group Policy, as shown in Figure 4.
Figure 4: Auditing can track access for Administrators
Sixth, the Administrator accounts and all user accounts configured with Administrator privileges need to have complex and lengthy passwords. These passwords also need to be changed often. Non expiring passwords are not an option for administrator type accounts.
Finally, the last tip is not really a configuration or setting. It is the simple fact that you need to protect the company and the company assets at all cost. If you have a bad feeling about an administrator or someone that has Administrator privileges, you must fire them. It is a harsh reality, but if someone cannot be trusted, they must be removed from the environment!
The Administrator accounts and associated Admin groups are very powerful within a Windows environment. These accounts have more power than you might think. You must protect your environment, meaning you must gain control over these accounts. You need to take all precautions to protect them, including some options that are not efficient and can cause extra steps for all administrators each time they want to perform any task that requires elevated privileges. Controlling the administrator type accounts is not an option, it is a requirement. You need to take action immediately, before your network is compromised and you are working at WalMart as a greeter!