Search
Restricted Admins part 2
2 min read

Restricted Admins part 2

Zinhart's Picture
Zinhart in notes system administration active directory

Following the discussion of how NOT to implemented Restricted Groups, let’s discuss a possible implementation.

Organizational Unit Structure

OU Structure

Domain Administrator Policy

Domain Administrator acccounts should only be used on domain controllers. In other words a domain administrator account should never be able to logon to workstations or servers, so in our policy we restrict all forms of login to computers that are in the Server or Workstations OU’s for any account that is a member of the Domain Admins group.

Domain Admins

Server Administrator Policy

  • Server Administrator acccounts should only be used on servers. In other words a server administrator account should never be able to logon to workstations or domain controllers, so in our policy we restrict all forms of login to computers that are in the Server OU’s or for any account that is a member of the WorkstationAdmins group.
  • The Domain Administrator Policy takes care of preventing Domain Admins from logging onto computers in the Server OU.
  • Additionally Restricted Groups are used to ensure that the Domain Admins and ServerAdmins groups are the only members of the Builtin\Administrators group for computers in the Servers OU.

Server Admins

Workstation Administrator Policy

  • Workstation Administrator acccounts should only be used on workstations. In other words a workstation administrator account should never be able to logon to servers or domain controllers, so in our policy we restrict all forms of login to computers that are in the Workstation OU’s or for any account that is a member of the ServerAdmins group.
  • The Domain Administrator Policy takes care of preventing Domain Admins from logging onto computers in the Workstation OU.
  • Additionally Restricted Groups are used to ensure that the Domain Admins and WorkstationAdmins groups are the only members of the Builtin\Administrators group for computers in the Workstations OU.

Workstation Admins

You can find a working example, of the policies above, here.

With the policies above in place we’ve reduced the lateral movement attack space.
If an admin account is comprised then effectively all computer in the respective OU are compromised rather than the entire domain, from the stand point of pass the hash/pass the ticket attacks.
There is one obvious weakness to this implementation however.
Someone can negate your entire RBAC infrastructure by using the same password for their domain admin, workstation admin, and server admin accounts.
But if you really did allow them to do such a thing, I wouldn’t be entirely sympathetic if your domain got pwned.

You may also like

XXE Injections
1 min read

XXE Injections

Abusing XML Parsers

Zinhart's Picture
Zinhart in notes xxe awae
Server Side Request Forgery
1 min read

Server Side Request Forgery

API Architecture, SSRF, MicroServices

Zinhart's Picture
Zinhart in notes ssrf awae
Network Modeling
1 min read

Network Modeling

Classless Internet Domain Routing

Zinhart's Picture
Zinhart in notes networking awae

Latest Posts

XXE Injections
1 min read

XXE Injections

Zinhart's Picture
Zinhart
Server Side Request Forgery
1 min read

Server Side Request Forgery

Zinhart's Picture
Zinhart

Explore Tags

Active Directory Backups Disk Encryption VM's active directory anti virus awae ciphers code code-analysis csrf devops embedded programing firewall evasion group policy jokes network pentesting networking notes offensive-security oscp oswe-notes payload-encoding pentesting pentesting methodology session-manipulation shells social engineering sqli ssh tunneling ssl-certificates ssrf system administration vagrant web development windows work xss xxe