Principle of Least Privilege

Hacker attacks are becoming more and more intelligent and, above all, more individual.
It is helpful to implement the Principle of Least Privilege in the Active Directory to help prevent your system from being attacked.
Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task. If your want to know what LAPS are, please read our previous article.

Users

Step #1

Create these Users and Groups in AD:

DA – Domain Admin
SA – Server Admin
CA – Client Admin

CA-, SA-, DA- User(example: CA-hs2n)
gg_ServerAdmin -group; gg_ClientAdmin -group

Step #2

Assignment:

CA – User member of gg_ClientAdmin
SA – User member of gg_ServerAdmin
DA – User member of Domain-admins

Step #3

Create a ClientAdmin Policy OR if you imported a policy, edit gg_ClientAdmin-

Link the policy to all your Client OrganisationUnits

For testing purposes do NOT use the option “Remove Members: Domain-Admins” in the first step
After you made sure that the policy works correctly and you have access to the clients with your previously created CA-admin users, edit the policy and add the option “Remove Members: Domain-Admins”

IMPORTANT:

As per default new domains that join Computerobjects are created in the group “Computers”
THIS IS NOT A OU, IT IS A GROUP!
A group can not be linked to a Policy – You have to Create a new OU and make it default for any new domain joining Computerobjects. To do so, start a Powershell as an administator:

Use the following commands:

redircmp

redircmp „ou=NewComputer, DC=Testdomain, DC=local“

To check the default path use the following command:

get-addomain | fl computer, user

Step #4

Create a ServerAdmin Policy OR if you imported a policy edit gg_ServerAdmin.

Link the Policy to all your Client OrganisationUnits.

For testing purposes do NOT use the option “Remove Members: Domain-Admins” in the first step
After you made sure that the policy works correctly and you have access to your servers with the SA-admin users you poreviously created, edit the policy and add the option “Remove Members: Domain-Admins”

Step #5

To make sure that the previously created users can only log on to their intended devices(Servers, DC, Clients):

DA-users: only allowed to log on DC, not on other Servers, not on Clients
SA-users: only allowed to log on Servers, not on DC, not on Clients
CA-users: only allowed to log on Clients, not on DC, not on Servers
We have to apply the following GPOs:

1. For DA-Users

Link this GPO to all OU with ComputerObjects and MemberServerObjects.

2. For SA-Users

Link this GPO to all OU with ComputerObjects and DomainControllers.

3. For CA-User:

Link this GPO to all OU with DomainControllers and MemberServerObjects.

LAPS

How to Configure Microsoft Local Administrator Password Solution (LAPS)

Download and Install LAPS via policies on every of your Server/Client Devices
msiexec.exe /i %~dp0LAPS.x64.msi CUSTOMADMINNAME=loc-admin /Qb- /L*V “c:\temp\laps_install.log”
Install LAPS Management Features (part of the LAPS Package) on the managing Server(DC)
Install LAPS admx files from the package and copy it to policydefinitions
Update Active Directory Schema
Import-module AdmPwd.PS
Update-AdmPwdADSchema

After Schema Update two new attributes come up:

To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:
Launch PowerShell as Domain Administrator
Run command:
Set-AdmPwdComputerSelfPermission -Identity “C=domain,DC=local”

Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:

If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers)
Be aware not to apply the policy to DomainControllers!
ADD DomainControllers under Advanced settings and set Read Attribute to “Deny”.

You can also find this guide and many others on our help page.

Start using XEOX now!

Top 11 RMM tools

Top 11 RMM tools Remote Monitoring and Management (RMM) tools are essential for IT professionals and Managed Service Providers (MSPs) to efficiently manage and monitor

Michael Satlow 20/09/2023

Comparison

Top 8 WSUS alternatives

Top 8 WSUS alternatives Windows Server Update Services, commonly referred to as WSUS, serves as an essential element within the Windows Server ecosystem. It empowers

Lisa Steinbrugger 14/09/2023

Cyber Security

Understanding is the be-all and end-all: Identifying risks from IT security gaps

Understanding is the be-all and end-all: Identifying risks from IT security gaps IT security breaches and resulting data loss pose a major financial risk to

Team XEOX 27/07/2023

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Principle of Least Privilege

Users

Step #1

Create these Users and Groups in AD:

DA – Domain AdminSA – Server AdminCA – Client Admin

CA-, SA-, DA- User(example: CA-hs2n)

gg_ServerAdmin -group; gg_ClientAdmin -group

Step #2

Assignment:

CA – User member of gg_ClientAdmin

SA – User member of gg_ServerAdmin

DA – User member of Domain-admins

Step #3

Create a ClientAdmin Policy OR if you imported a policy, edit gg_ClientAdmin-

Link the policy to all your Client OrganisationUnits

For testing purposes do NOT use the option “Remove Members: Domain-Admins” in the first stepAfter you made sure that the policy works correctly and you have access to the clients with your previously created CA-admin users, edit the policy and add the option “Remove Members: Domain-Admins”

IMPORTANT:

Use the following commands:

redircmp

redircmp „ou=NewComputer, DC=Testdomain, DC=local“

To check the default path use the following command:

get-addomain | fl computer*, user*

Step #4

Create a ServerAdmin Policy OR if you imported a policy edit gg_ServerAdmin.

Link the Policy to all your Client OrganisationUnits.

Step #5

1. For DA-Users

Link this GPO to all OU with ComputerObjects and MemberServerObjects.

2. For SA-Users

Link this GPO to all OU with ComputerObjects and DomainControllers.

3. For CA-User:

Link this GPO to all OU with DomainControllers and MemberServerObjects.

LAPS

How to Configure Microsoft Local Administrator Password Solution (LAPS)

Download and Install LAPS via policies on every of your Server/Client Devices

msiexec.exe /i %~dp0LAPS.x64.msi CUSTOMADMINNAME=loc-admin /Qb- /L*V “c:\temp\laps_install.log”

Install LAPS Management Features (part of the LAPS Package) on the managing Server(DC)

Install LAPS admx files from the package and copy it to policydefinitions

Update Active Directory Schema

Import-module AdmPwd.PS

Update-AdmPwdADSchema

After Schema Update two new attributes come up:

To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:Launch PowerShell as Domain AdministratorRun command:Set-AdmPwdComputerSelfPermission -Identity “C=domain,DC=local”

To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:

Launch PowerShell as Domain Administrator

Run command:

Set-AdmPwdComputerSelfPermission -Identity “C=domain,DC=local”

Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:

Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:

If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers) Be aware not to apply the policy to DomainControllers!ADD DomainControllers under Advanced settings and set Read Attribute to “Deny”.

Start using XEOX now!

MORE BLOG POSTS

Top 11 RMM tools

Top 8 WSUS alternatives

Understanding is the be-all and end-all: Identifying risks from IT security gaps

Company

Resources

ComplianCe

Subscribe to our newsletter!

DA – Domain Admin
SA – Server Admin
CA – Client Admin

For testing purposes do NOT use the option “Remove Members: Domain-Admins” in the first step
After you made sure that the policy works correctly and you have access to the clients with your previously created CA-admin users, edit the policy and add the option “Remove Members: Domain-Admins”

get-addomain | fl computer, user

To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:
Launch PowerShell as Domain Administrator
Run command:
Set-AdmPwdComputerSelfPermission -Identity “C=domain,DC=local”

If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers)
Be aware not to apply the policy to DomainControllers!
ADD DomainControllers under Advanced settings and set Read Attribute to “Deny”.