Principle of Least Privilege

Hacker attacks are becoming more and more intelligent and, above all, more individual.
It is helpful to implement the Principle of Least Privilege in the Active Directory to help prevent your system from being attacked.
Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task. If your want to know what LAPS are, please read our previous article.

Users

Step #1

Create these Users and Groups in AD:
DA – Domain Admin
SA – Server Admin
CA – Client Admin
  • CA-, SA-, DA- User(example: CA-hs2n)
  • gg_ServerAdmin -group; gg_ClientAdmin -group

Step #2

Assignment:
  • CA – User member of gg_ClientAdmin
  • SA – User member of gg_ServerAdmin
  • DA – User member of Domain-admins

Step #3

Create a ClientAdmin Policy OR if you imported a policy, edit gg_ClientAdmin-
Link the policy to all your Client OrganisationUnits
For testing purposes do NOT use the option “Remove Members: Domain-Admins” in the first step
After you made sure that the policy works correctly and you have access to the clients with your previously created CA-admin users, edit the policy and add the option “Remove Members: Domain-Admins”
IMPORTANT:

As per default new domains that join Computerobjects are created in the group “Computers” 
THIS IS NOT A OU, IT IS A GROUP! 
A group can not be linked to a Policy – You have to Create a new OU and make it default for any new domain joining Computerobjects. To do so, start a Powershell as an administator:

Use the following commands:
redircmp 
redircmp „ou=NewComputer, DC=Testdomain, DC=local“
To check the default path use the following command:
get-addomain | fl computer*, user*

Step #4

Create a ServerAdmin Policy OR if you imported a policy edit gg_ServerAdmin.
Link the Policy to all your Client OrganisationUnits.
For testing purposes do NOT use the option “Remove Members: Domain-Admins” in the first step
After you made sure that the policy works correctly and you have access to your servers with the SA-admin users you poreviously created, edit the policy and add the option “Remove Members: Domain-Admins”

Step #5

To make sure that the previously created users can only log on to their intended devices(Servers, DC, Clients):

  • DA-users: only allowed to log on DC, not on other Servers, not on Clients
  • SA-users: only allowed to log on Servers, not on DC, not on Clients
  • CA-users: only allowed to log on Clients, not on DC, not on Servers
    We have to apply the following GPOs:

 

1. For DA-Users
Link this GPO to all OU with ComputerObjects and MemberServerObjects.
 
2. For SA-Users
Link this GPO to all OU with ComputerObjects and DomainControllers.
 
3. For CA-User:
Link this GPO to all OU with DomainControllers and MemberServerObjects.

LAPS

How to Configure Microsoft Local Administrator Password Solution (LAPS)
 
  1.  Download and Install LAPS via policies on every of your Server/Client Devices
    •  msiexec.exe /i %~dp0LAPS.x64.msi CUSTOMADMINNAME=loc-admin /Qb- /L*V “c:\temp\laps_install.log”
  2. Install LAPS Management Features (part of the LAPS Package) on the managing Server(DC)
  3. Install LAPS admx files from the package and copy it to policydefinitions
    • Update Active Directory Schema
    • Import-module AdmPwd.PS
    • Update-AdmPwdADSchema

After Schema Update two new attributes come up:
  1.  To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:
    • Launch PowerShell as Domain Administrator
    • Run command:
      Set-AdmPwdComputerSelfPermission -Identity “C=domain,DC=local”

  1.  Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:
If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers) 
Be aware not to apply the policy to DomainControllers!
ADD DomainControllers under Advanced settings and set Read Attribute to “Deny”.

You can also find this guide and many others on our help page.

Start using XEOX now!

MORE BLOG POSTS

RMM

The future of RMM tools

The future of RMM Tools The time for RMM software innovation is at a defining point. Customer requirements are changing, and reliance on technology is

Read More »
RMM

Cloud Computing and its Benefits

Cloud Computing and its Benefits Cloud computing is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet (“the cloud”)

Read More »