Which of the following is a best practice regarding the Administrator account
Protecting Active Directory (AD) is a critical focus for security teams. Bad actors frequently target AD because it is central to so many vulnerable functions, including authentication, authorization and network access. Your users, applications, services and IoT devices use AD every time they access your enterprisesystems. Show
The 2018 healthcare.gov attack is one real-world example of a severe AD breach. Using stolen credentials, attackers were able to log into a database undetected and expose over 75,000 files containing personally identifiable information (PII). Defending your organization starts with understanding how attacks unfold. They typically follow the same fundamental steps:
In other words, AD attacks often hinge upon the weakest link in every security system: the human element. Phishing schemes, in particular, have become worryingly effective. Bad actors posing as representatives of well-regarded partners like financial institutions routinely convince unwitting employees to willingly hand over vital information. Cybercriminals have persuaded employees to:
To protect your organizations, it is crucial to establish, communicate and enforce the following Active Directory security best practices. Secure Your Domain ControllersA domain controller (DC) is a server that authenticates users by checking their usernames, passwords and other credentials against stored data, and also authorizes (or denies) requests to access various IT resources. DCs are a primary target for cybercriminals because they store and process information that hackers can use to steal data and cause enterprise-wide damage.
Establish a Robust Password PolicyMicrosoft Active Directory allows you to define fine-grained password policies that control factors like password length and complexity requirements. One way you can use password policy to better secure your network is to apply stricter account lockout settings to accounts that have access to valuable data and critical applications. That way, for example, an attacker who attempts to compromise an admin account will be locked out after just a few failed attempts, but a regular user who mistypes their password a few times will not get locked out and need to reset their password before they can get back to work. Follow the following NIST password guidelines:
Use a Local Administrator Password SolutionAll too often, organizations create a generic local admin user ID with the same password on every machine. This approach increases the organization’s vulnerabilities — bad actors who compromise one machine can easily attack every machine. A local administrator password solution (LAPS) mitigates this risk by forcing each device to have a different local admin password.
Enable Visibility into Group PolicyGroup Policy is a tool for enforcing a consistent and secure setup across multiple devices. However, Group Policy tends to be tangled and messy; some organizations even have Group Policy settings that are mutually exclusive. To avoid this weak link in your security posture, you need to have visibility into your Group Policy structure and changes. Group Policy best practices can be grouped into those for security groups and those for roles and accounts: Security GroupsSecurity groups are the recommended way to control access to resources and enforce a least-privilege model. Instead of assigning access rights to individuals one by one, you assign permissions to security groups and then make each user a member of the appropriate groups. Best Practices AccountsBest Practices for All Accounts
Additional Best Practices for Administrative and Other Powerful AccountsNaturally, attackers are particularly interested in gaining access to accounts that have administrative privileges or access to sensitive data, such as customer records or intellectual property. Therefore, it’s critical to be especially vigilant about these powerful accounts. Best practices for domain administrator accounts and other privileged accounts include the following:
Monitor Active Directory for Signs of CompromiseActive Directory is a busy place. To spot attacks, it’s essential to know what to look for in all the event data. Here are the top five things to monitor: User Account ChangesBe on the lookout for unusual modifications to an AD user account. Consider investing in a tool that can help you answer the following questions:
Password Resets by AdministratorsDomain admins should always follow established best practices when resetting user credentials. A robust monitoring tool helps answer questions like:
Changes to Security Group MembershipUnexpected changes to security group membership can indicate malicious activity, such as privilege escalation or other insider threats. You need to know:
Logon Attempts by a Single User from Multiple EndpointsAttempts by a single user to log on from different endpoints is often a sign that someone has taken control of their account, or is trying to. It is vital to flag and investigate this activity to find out:
Changes to Group PolicyA single improper change to Group Policy can dramatically increase your risk of a breach or other security incident. Using a tool to monitor this activity will make it easy to answer pressing questions like:
ConclusionThe Active Directory security best practices laid out here are essential to strengthening your security posture. Careful management of activities across the entire network that affect AD security will enable you to reduce your attack surface area and to promptly detect and respond to threats, dramatically reducing your risk of suffering a disastrous security incident. What is a good security practice for the administrator account?Use non-super admin accounts for daily admin tasks
Use the least privilege approach, where each user has access to the resources and tools needed for their typical tasks. For example, you could grant an admin permissions to create user accounts and reset passwords, but not let them delete user accounts.
What is an administrator account?An admin account has privileges to manage services for other people in your organization. The Admin console is only available when you're signed in to an admin account. If you don't have access to an admin account, get help from someone else who does.
What should a domain admin account be used for?So, consider a Domain Administrator: A Domain Administrator is basically a user authorized to make changes to global policies that impact all the computers and users connected to that Active Directory organization.
What are three changes you should make to secure the builtControls for Built-in Administrator Accounts. Enable the Account is sensitive and cannot be delegated flag on the account.. Enable the Smart card is required for interactive logon flag on the account.. Configure GPOs to restrict the Administrator account's use on domain-joined systems:. |