Protecting AD Domain Admins with Logon Restrictions and Windows Security Log


How do you protect all-powerful Domain Admins? If a bad guy gets Domain Admin access say goodbye to Active Directory and everything else that depends on it – which is pretty much everything given how widespread AD support, single-signon and federation are.

There are great privlieged account and session management technologies out there but here is how Barry and I do it at the data center using native Windows security features and something called a “jump box”.

First we set up a Terminal Services system and dedicated it to administrative sessions that are called “The Jump Box”. We and other privileged users never use our admin credentials to logon to any system other than the jump box. And we never use that jump box for anything else than administering AD and other highly critical pieces of IT infrastructure such as VMWare. We don’t browse the web, open files from the Internet, view PDFs or anything else which would give malformed content to drop malware onto the jumpbox.

Then we added 2-factor authentication to the jumpbox. That way even if someone steals our credentials they can’t just logon to the jumpbox because they don’t have the hard token we carry or the soft token on our smart phone.

I can trust Barry and myself to follow those rules but as we grow we have to trust more and more people just like you folks at larger companies. Plus there’s always the chance onc of us could just forget or get lazy. So I decided to use Windows logon rights to restrict privileged accounts from logging onto any other system. As I'll show you in this real-training-for-free webinar, I was partially successful but could not completely lock Domain Admins and related groups down to the jumpbox because of some limitations and “features” of Windows and how it uses logon rights – especially in Windows Server 2012 R2.

The bottom line is that you can’t completely prevent privileged accounts from bypassing your jump box. So you always run the very real risk that an actual administrator (or attacker) that steals an admin’s credentials and there are so many ways for this to happen.

But you can add a compensating control and I did that with the Windows security log. In this no-sponsor presentation real training for free ™ webinar - I'll show you how I set up some security log monitoring rules to immediately alert us as soon as a privileged account attempts to logon at the console of any system, access a workstation, remotely connect to a server or otherwise access anything outside the approved route of the strong authtenticated jump box.

This webinar will be completely me and my content – no sponsor presentation. I'll be using SolarWinds Log and Event Manager to do the security log monitoring for alerting us when there are attempts to bypass the jumpbox or otherwise mis-use admin credentials. If you'd like to follow along with me please download a free trial of Log and Event Manager ahead of time. It's a pre-buillt virtual appliance. Just download it and power it up in your virtualization host or desktop.

If you implement the controls I demonstrate in this webinar you'll be able to sleep at night knowing you’ve got the tightest controls possible on domain admin accounts and that you'll know immediately if someone attempts to bypass them. Please register now!



Additional Resources