There are many types of accounts that can be targeted by an attacker depending on their goal, with Domain Administrator ("Domain Admin") accounts being a prime target among them. Yet with this vulnerability known, so few companies and organizations do their due diligence to secure these accounts. From mid-sized businesses to Fortune 500 companies and across all industry vectors, poorly protected Domain Admin accounts create a sizable entry point for cyber attacks.
What is a Domain Admin and Can I be One Too?
The term Domain Admin is widely known by those in IT, but very few understand the true purpose of the Domain Admin role. It is because of this misunderstanding that Domain Admin accounts are the most misused accounts in Active Directory (AD). This improper use includes but is not limited to granting an excessive number of users with Domain Admin rights, using a Domain Admin account as a primary account for a specific user, and not revoking Domain Admin rights when a user no longer requires them.
Each organization may have differing role definitions for Domain Admins to best suit their requirements; however, there are best practice standards that can tighten these role definitions to make these accounts more secure. Considering the powerful capabilities that Domain Admins wield, making it the most powerful account type in the Active Directory domain, it is recommended that Domain Admin access be limited to as few users as possible. Additionally, Domain Admin accounts should only be used to make changes to the domain, where permissions cannot be delegated to another group. While using this approach may take time and effort to configure, it is an essential milestone in securing your organization’s environment.
Below is a list of known tasks which cannot be delegated to other groups and would require Domain Admin rights:
Promoting or demoting a Domain Controller;
Transferring or seizing the Flexible Single-Master Operation (FSMO) roles (except Schema role);
Raising the Domain Functional Level;
Adding or removing users to Enterprise Admins group;
Installing software which requires Domain Admin permissions to install; and,
Restoring AD from backup.
Why Do Attackers Target Domain Admin Accounts?
Attackers have different methods to achieve an end goal that range from data theft, data destruction, extortion, reputational damage, and more. Regardless of the motive, gaining access to a Domain Admin account provides attackers with an unbridled amount of power and access to carry out cyber attacks. By default, Domain Admins are added to the local administrator group of every computer and server when joined to a domain, causing end users to assume the presence of these groups are needed and therefore not removing them. Often, Domain Admins are given admin-level access to file shares and databases where sensitive data can live, making these accounts a prime target for attackers who then use tools to gain Domain Admin access. An example of such a tool is called Bloodhound, which runs on a machine that has been compromised to map out which machines need to be compromised next to get to the Domain Admin level in the quickest way possible.
Many organizations have at least one service account which is a Domain Admin. Service accounts with Domain Admin rights are often easy targets for attackers because the passwords are weak and almost never change. One of the most sought-after accounts for an attacker is the account used for vulnerability scanners as it is often a Domain Admin account that is used by the organization to scan every system on the domain, including Domain Controllers. In a worst case scenario, an attacker who has successfully compromised a company’s system can retrieve the credentials of the vulnerability scanner account that is running in memory on that system and get Domain Admin access to carry out a cyber attack.
What Kind of Attacks are Used to Get to Domain Admin?
Before we can begin to understand how to protect Domain Admin accounts, it is important to first understand the different attack methods used from a high level. A simple query against Active Directory will pull back all of the members of the Domain Admins group and, by default, any domain user can run this query.
There are many types of attacks and techniques used by attackers to get to the Domain Admin. The following are methods used by attackers after an initial compromise, with the goal of getting to a Domain Admin Account:
Mimikatz: a tool that scrapes system memory, looking for clear text or hashed credentials which are used in pass-the-hash attacks of offline hash cracking
Keberoasting: a post-exploitation attack technique that attempts to crack the password of a service account within the Active Directory
Privilege Escalation: a method in which an attacker elevates their access to a network by exploiting a vulnerability or poor configuration and then establishing persistence locally and moving laterally until they reach Domain Admin level access.
How Can We Protect Domain Admin Accounts?
Like all areas of security, a defensive in-depth approach is going to provide the most robust strategy to defend against attacks. There is not an individual setting or tool that is going to prevent a Domain Admin account from being compromised on its own. Multiple tools and strategies are needed to provide a high level of security. Below are some of the most important things we can do to protect our Domain Admin accounts.
Rotate Domain Admin passwords at least daily for privileged users and at least every 180 days for service accounts;
Require strong password requirements for Domain Admin accounts (16-20 characters for privileged users and 25+ characters for service accounts);
Use a PAM tool to manage Domain Admin accounts;
Limit the overall number of Domain Admin accounts for privileged users and service accounts in each domain; and,
Limit the scope and function of Domain Admins in your environment (i.e. only allow them to login to Domain Controllers and make changes to the domain).
This is not a quick fix. It will take time and effort to secure the most targeted account type in an Active Directory domain. Each of the items above will provide additional layers of protection that when put together provide a shield to protect and secure Domain Admin accounts in your domains.