Separate administrator account from user accounts.
Privilege account:
Allocate administrator accounts to perform the following administrative duties only.
1.Minimum:
Create separate accounts for domain administrators,enterprise administrators or the equivalent with appropriate administrators.
2.Better:
Create separate accounts for administrators that have reduced administrative rights,such as accounts for workstation administrators and accounts with user rights over designated Active Directory Organizational Units (OUs).
3.Ideal:
Create multiple,separate accounts for an administrator who has a variety of job responsibility that requires different trust levels.
- Standard User Account: Grant standard user rights for standard user tasks such as email,web browsing and using Line of Business (LOB) applications.
Create dedicated workstation hosts without Internet and Email access
- Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers.
- Minimum: Build dedicated administrators workstations and block internet access on those workstations include web browser and email.
- Better: Do not grant administrators membership in the local administrators from bypassing these protections .
- Ideal: Restrict workstations from having any network connectivity,except for the domain controllers and servers that the administrators accounts are used to manage.
Restrict administrator login access to servers and workstations
- It is a best practice to restrict administrators from using sensitive administrator account to sign in to lower-trust servers and workstation.
- Restrict logon access to lower-trust servers and workstations by using the following guidelines.
1.Minimum: Restrict domain administrators from having logon access to servers and workstations.Before starting this contain workstations and servers.Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them.
2.Better: Restrict domain administrators from signing in to workstations,in addition to domain administrators.
Disable the account delegation right for administrator accounts
- Although user accounts are not marked for delegations by default, accounts in an Active Directory domain can be trusted for delegation.this means that is trusted authenticates to them to access other resources across the network.
- It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the account is sensitive and cannot be delegated checkbox under account option so prevent these accounts from being delegated.