The world's most trusted forum on Active Directory Security

Post Info TOPIC: Reducing Privileges in Active Directory


Posts: 1
Date: Aug 5, 2013
Reducing Privileges in Active Directory

Hello Forum,

We are a medium sized organization that just finished conducting a thorough Active Directory access/privilege audit, and based on our findings, are in the midst of trying to reduce privileges in our Active Directory.

Based on our audit findings, we found that the single biggest risk to our Active Directory deployment was from undocumented administrative privileges in our Active Directory, which were never intended to be given to certain IT personnel, but have been given nonetheless, mostly due to nested group memberships assignments that we are not always able to see.

We have identified that there are about 30% additional accounts with administrative privilege than we expected there to be based on our policy/intentions. The individuals who make up this 30% are low-level delegated admins, particularly in regional offices, who somehow or the other have found to have varying levels of administrative access on some of our critical admin accounts and groups.

For example, one of the individuals on this list has the ability to modify the membership of the Builtin Administrators group, whereas another individual was found to have the ability to reset the password of one of our Domain Admin accounts. Similarly, we found that at least half a dozen such individuals had the abiity to "Modify Permissions" on the AdminSdHolder object, which would give them the ability to modify the privileges of virtually any admin account and group.

We are thus struggling with figuring out how to reduce these "administrative" privileges from these individuals, and do so in a way, that does not disrupt access to other legitimate users. The challenge we are faced with is trying to figure out HOW these accounts have the access we are seeing. (Once we know the HOW, it should be relatively easy to lockdown their privileges.)

We have spent a great deal of time and effort in trying to perform this access audit, and so have a lot of invested resources into this project. In order to derive maximum value out of the project, we need to be able to demonstrate a reduction in privileges, so we need to know HOW these individuals have these privileges.

We're at a bit of a loss, and in retrospect, we wish we had identified the HOW as well during this laborious exercise (which took us weeks), but unfortunately that is not the case, and we cannot go back and do this again (as it is just way too much effort.)

Does anyone have any ideas as to how to figure this out?


Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me