Saturday, January 22, 2005

Securing Administrative Groups and Accounts in Active Directory Part 1

Which accounts are a risc?: The Administrator, created when Active Directory is installed on the first DC. It is the most powerful account in the domain and as such a target for hackers and other "evil" people. All accounts created afterwards with administrative rights.
Which groups?: Administrative groups in the Builtin container. Administrative Groups created in the Users container. All groups later created and placed in another group that has administrative privileges. (Watch out for this)
For Active Directory you have 2 administrative types: Service administrators which are responsible for maintaining the directory with its domain controllers etc.... Data administrators which are responsible for maintaining data stored in the directory, on member servers, workstations or other media. In most organizations members of the administrators group have both types in one role. Still keep in mind tat the service administrators have the most power in your directory and therefore need protection. They can install software, updates on domain controllers, make new users and so on. Following a short list with the default groups and accounts which are used for servicing Active Directory. A quick hint, built-in groups can not be moved to another OU. Enterprise Admins - Users Container - Group added by the system to the administrators group. Schema Admins - Users Container - Has full access to the Schema. Administrators - Builtin container - Has full control over all domain controllers an directory content in the domain. Can also change memberships of other administrative accounts. Server Operators - Builtin container - Has standard no members. Can be used for backing up and restoring domain controllers. Account Operators - Builtin container - Has standard no members. Can be used for creating and managing users and groups in the domain. Can not manage service administrator accounts. Do NOT add members to this group! Backup Operators - Builtin container - Has standard no members. It can perform backup and restore operations on domain controllers. DS Restore Administrator - You can't find this account in Active Directory. It is created during the Active Directory installation process, and it is not the same as the Administrator account in the Active Directory. You use this account only to start a domain controller in Directory Services Restore Mode. When running in this mode, the account has full control to the system and all it's files. The listed accounts and groups with their members, are all protected by a background process that periodically checks and applies a security descriptor, which is a data structure containing security information associated with a protected object. This ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings. This security descriptor is present on the AdminSDHolder object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object so that it will be applied consistently. Be careful because you are also changing the default settings that will be applied to all of your protected administrative accounts.
End of Part 1.

No comments:

Post a Comment