Domain Admins Best Practices

8/20/2019 Domain Admins Best Practices

1/20

beyondtrust

Presenter:

Russell Smith


2/20

“

”

beyondtrust

@smithrussell


3/20

“

”

beyondtrust

www.packtpub.com


4/20

“

”

beyondtrust


5/20

beyondtrust

Are part of the attack surface

Hold the keys to your kingdom Can elevate to schema or enterprise

administrator

Not required for server or

workstation admin tasks


6/20

beyondtrust

Pass-the-Hash attacks

Cached credentials

Security Accounts Manager

(SAM) database

Unsanctioned changes


7/20beyondtrust

1. Isolate domain controllers2. Delegate AD Privileges

3. Use RSAT or PowerShell for

administration


8/20beyondtrust

Use JiT administration

Automate updates using WSUS or

System Center

Forward event logs

Delegate other NT rights


9/20beyondtrust

Delegate access using the

Administrators or Remote Desktop

Users group

Use Group Policy Restricted Groups

or Group Policy Preferences


10/20beyondtrust

Assign only the cmdlets, parameters and

functions required Provision JEA toolkits (PowerShell endpoints)

Unique JEA local administrator account

RunSpaceID and date/time logged in

ActivityLog.csv


11/20

beyondtrust

RunSpaceID matches against username in

Executing Pipeline event (Microsoft-

Windows-PowerShell/Operational log)

AD account can be used to perform off-server

tasks


12/20

beyondtrust


13/20

1 3

13

PowerBroker for WindowsJason Silva, Product Manager

© 2015 BeyondTrust Software


14/20

1 4

14

Introducing PowerBroker for Windows

Endpoint solution thatenforces least privilege

access acrossphysical and virtualMicrosoft Windowsdesktops and serversefficiently, withoutdisrupting userproductivity.


15/20

1 5

15

PowerBroker for WindowsElevate Applications, Not Users

► Remove administrator privileges from

users without hampering productivity

► Ensure only authorized softwareinstalls, updates & system changes

► Elevate the application or task, not the

user, to limit malware exposure (e.g.,

pass-the-hash)

Minimally Invasive, Intuitive UI forContext-Aware Risk Insights

► Automatic correlation of events to the

Retina Vulnerability Database

► Wizard-driven rule creation and

targeting of specific assets and users

for policy and rule creation; automaticpolices based on events


16/20

1 6

16

PowerBroker for Windows Monitoring Capabilities

•

Privileged Application Launches – UAC Prompts, Rules Matched, Request Elevation

• Windows Event Log Monitoring

– Windows Application, System, and Security Logs

• File Integrity Monitoring

– Monitor Files and Directories by User / Group

• Session Monitoring

–Screen Captures and Keystroke Logging of Privileged Access


17/20

1 7

17

Retina

Vulnerability Management

NetworkInfra-

structure

MobileServers &

Desktops

Applications&

Databases

Virtual &

Cloud

Network Security

Scanner

Web Security

Scanner

BeyondSaaS

Cloud-Based

Scanning

Enterprise

Vulnerability

Management

PowerBroker

Privileged Account Management

NetworkInfra-

structure

Active

Directory/

Exchange/

File Sys

Servers &

Desktops

Applications&

Databases

Virtual &

Cloud

Privileged

Password

Management

Auditing &

Protection

Active Directory

Bridging

Privilege

Management

BeyondInsight IT Risk Management Platform


18/20

1 8

18

DemonstrationPowerBroker for Windows


19/20

1 9

19

Quick Poll



20/20

2 0

20

Thank you for attending.


Documents

Domain Admins Best Practices