Admin rights

Question

Admin rights

HASSAN BIN NASIR DAR 396

Hi all

An administrator credential is to take control of a workstation in the unsecure tiers and expect that an administrator will connect to it.

An attack such as credential theft or kerberos delegation is then performed.

To reduce the impact of such compromise, the best practice is to isolate components (such as admins, DC) in tiers.

Typically, a domain admin should not be allowed to connect to any workstation but login only to perform highly privileged operations.

How would you prevent highly privileged admins (Tier 0) from accessing non-privileged resources?

How will admins access non-privileged resources?

Reza-Ameri 45,821 Reputation points Volunteer Moderator

2023-03-25T16:43:54.6566667+00:00

I believe you are referring to the case to prevent the administrator to connect remotely and should be physically present in the server to perform tasks or should be within the company's trusted domain. Is that correct?
HASSAN BIN NASIR DAR 396 Reputation points

2023-03-26T13:05:58.98+00:00

To be honest, I could not understand this scenerio. This is interview case.

I am adding one more line for this scenerio.

"No GPO preventing the logon of administrators has been found"

1 answer

Your answer

Reza-Ameri 45,821 Reputation points Volunteer Moderator

2023-03-25T16:43:54.6566667+00:00

I believe you are referring to the case to prevent the administrator to connect remotely and should be physically present in the server to perform tasks or should be within the company's trusted domain. Is that correct?
HASSAN BIN NASIR DAR 396 Reputation points

2023-03-26T13:05:58.98+00:00

To be honest, I could not understand this scenerio. This is interview case.

I am adding one more line for this scenerio.

"No GPO preventing the logon of administrators has been found"

Answer 1

if this is the case without any GPO

you need to configure the local security policy at each workstation

maybe you can use a PowerShell script like the following

please do not use the powershell directly modify according to your requirements


$DomainAdminGroup = "YourDomain\Domain Admins"

$Workstations = Get-ADComputer -Filter 'OperatingSystem -like "*Windows*" -and OperatingSystem -notlike "*Server*"'

foreach ($Workstation in $Workstations) {
    $ComputerName = $Workstation.Name

    Invoke-Command -ComputerName $ComputerName -ScriptBlock {
        param($DomainAdminGroup)

        $LocalPolicyPath = "HKLM:\System\CurrentControlSet\Control\Lsa\"

        $LogonRights = Get-ItemProperty -Path $LocalPolicyPath -Name "SeDenyInteractiveLogonRight"
        $RemoteLogonRights = Get-ItemProperty -Path $LocalPolicyPath -Name "SeDenyRemoteInteractiveLogonRight"

        $LogonRightsArray = $LogonRights.SeDenyInteractiveLogonRight
        $RemoteLogonRightsArray = $RemoteLogonRights.SeDenyRemoteInteractiveLogonRight

        if (-not $LogonRightsArray.Contains($DomainAdminGroup)) {
            $LogonRightsArray += $DomainAdminGroup
            Set-ItemProperty -Path $LocalPolicyPath -Name "SeDenyInteractiveLogonRight" -Value $LogonRightsArray
        }

        if (-not $RemoteLogonRightsArray.Contains($DomainAdminGroup)) {
            $RemoteLogonRightsArray += $DomainAdminGroup
            Set-ItemProperty -Path $LocalPolicyPath -Name "SeDenyRemoteInteractiveLogonRight" -Value $RemoteLogonRightsArray
        }
    } -ArgumentList $DomainAdminGroup
}

HASSAN BIN NASIR DAR 396 Reputation points

2023-03-26T23:17:23.6066667+00:00

Hi,

If we have 50 workstations then we have to go on each workstation one by one?

What is the solution of second question?

regards
Sedat SALMAN 14,455 Reputation points MVP

2023-03-27T05:28:04.2733333+00:00

please modify powershell accordingly

powershell is an example to show to run command on multiple computers at the same time

Share via

Admin rights

1 answer

Your answer