Creating a New User Account with Domain Admins Credentials
If you do not already have a user account that is a member of the Domain Admins group, other than the default Administrator account, create one that you will use to perform the tasks in this guide. As the administrator of your network, you will use this new account only when you need to perform tasks that require Domain Admin credentials. Do not remain logged on with this account after you finish performing these tasks. If the computer contracts a virus while a domain administrator is logged on, the virus runs in the context of that domain administrator. In this way, the virus could use the administrator's privileges to infect the workstation and the rest of the network. Create another user account for data management and day-to-day use such as running Microsoft Office and sending and receiving e-mail, but do not add that user account to the Domain Admins group. Secure practices for creation and use of administrative accounts are described later in this paper.
Requirements
- Credentials: Domain Admins (if this is the first administrative account you have created, log on by using the default Administrator account)
- Tools: Active Directory Users and Computers
- To create a new user account with Domain Admins credentials
- Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.Note: Screenshots in this document reflect a test environment and the information might differ from the information displayed on your computer.
- Right-click the Users container, click New, and then click User.
.jpg)
- Type the First name, Last name, and User logon name, and then click Next. As shown in the example, you might want to follow a naming convention for naming your administrative accounts. For example, you might decide to append "-ALT" to the name of the administrative user to arrive at the logon name for the administrative account.
.jpg)
- Type and confirm the user password, clear the User must change password at next logon check box, and then click Next.
.jpg)
- Review the account information and then click Finish.
- With the Users container selected, in the details pane (right pane), double-click the Domain Admins group.
.jpg)
- Click the Members tab.
- Click Add and then, in the Select Users, Contacts, or Computers dialog box, type the user logon name of the administrative account you just created, and then click OK.
.jpg)
- Verify that your new account appears as a member of the Domain Admins group.
.jpg)
Protecting the Administrator Account
Every installation of Active Directory has an account named Administrator in each domain. This account cannot be deleted or locked out. In Windows Server 2003, the Administrator account can be disabled, but it is automatically re-enabled when you start the computer in Safe Mode.
A malicious user attempting to break into a system would typically start by attempting to try to obtain the password for the all-powerful Administrator account. For this reason, rename it and change the text in the Description to eliminate anything that indicates that this is the Administrator account. In addition, create a decoy user account called Administrator that has no special permissions or user rights.
Always give the Administrator account a long, complex password. Use different passwords for the Administrator and DS Restore Mode Administrator accounts. For more information about creating complex passwords, see "Selecting Secure Passwords" in the Security Guidance Kit.
Renaming the Default Administrator Account
This procedure removes any obvious information that can alert attackers that this account has elevated privileges. Although an attacker that discovered the default Administrator account would still need the password to use it, renaming the default Administrator account adds an additional layer of protection against elevation of privilege attacks. Use a fictitious first and last name, in the same format as your other user names. Do not use the fictitious name shown in the example below.
Requirements
- Credentials: Domain Admins
- Tools: Active Directory Users and Computers
- To rename the default Administrator account
- Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.
- In the console tree (left pane), click Users.
- In the details pane (right pane), right-click Administrator, and then click Rename.
.jpg)
- Type the fictitious first and last name and press Enter.
- In the Rename User dialog box, change the Full name, First name, Last name, Display name, User logon name, and User logon name (pre-Windows 2000) values to match your fictitious account name, and then click OK.
.jpg)
- In the details pane (right pane), right-click the new name, and then click Properties.
- On the General tab, delete the Description "Built-in account for administering the computer/domain" and type in a description to resemble other user accounts (for many organizations, this will be blank).
.jpg)
- On the Account tab, verify that the logon names are correct.Note: This procedure changes only the default Administrator account's logon name and account details, which someone can see if they manage to enumerate a list of accounts on your system. This procedure does not affect the ability to use the DS Restore Mode Administrator account to start Directory Services Restore Mode, as they are two different accounts.
Creating a Decoy Administrator Account
This procedure adds an additional layer of protection when you hide the default Administrator account. An attacker planning a password attack on the Administrator account can be fooled into attacking an account with no special privileges.
Requirements
- Credentials: Domain Admins
- Tools: Active Directory Users and Computers
- To create a decoy Administrator account
- Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.
- Right-click the Users container, click New, and then click User.
- In First name and User logon name, type Administrator and then click Next.
.jpg)
- Type and confirm a password.
- Clear the User must change password at next logon check box.
.jpg)
- Verify that the decoy account is created and click Finish.
.jpg)
- In the details pane (right pane), right-click Administrator, and then click Properties.
- On the General tab, in the Description box, type Built-in account for administering the computer/domain, and then click OK.
Securing the Guest Account
The Guest account allows users who do not have an account in your domain to log on to the domain as a guest. This account is disabled by default, and should remain disabled, but hiding the account adds an additional layer of protection against unauthorized access. Use a fictitious first and last name, in the same format as your other user names.
Requirements
- Credentials: Domain Admins
- Tools: Active Directory Users and Computers
- To rename the Guest account
- Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.
- In the console tree (left pane), click Users.
- In the details pane (right pane), right-click Guest, and then click Rename.
- Type the fictitious first and last name and press Enter.
- Right-click the new name, and then click Properties.
- On the General tab, delete the Description "Built-in account for guest access to the computer/domain" and type in a description to resemble other user accounts (for many organizations, this will be blank).
- In the First name and Last name boxes, type the fictitious names.
- On the Account tab, type a new User logon name, using the same format you use for your other user accounts, for example, first initial and last name.
- Type this same new logon name in the User logon name (pre-Windows 2000) box, and then click OK.
- Verify that the account is disabled. The icon should appear with a red X over it. If it is enabled, right-click the new name, and then click Disable Account.
Strengthening Security on Service Administration Accounts and Groups
Creating a controlled organizational unit (OU) subtree in Active Directory and configuring it with its recommended security settings can help provide a more secure environment for service administrator accounts and workstations.
OUs are containers within domains that can contain other OUs, users, groups, computers, and other objects. These OUs and sub-OUs form a hierarchical structure within a domain, and are primarily used to group objects for management purposes.
By creating a subtree containing all service administrator accounts and the administrative workstations that they use, you can apply specific security and policy settings to maximize their protection.
To create the controlled subtree, perform the following tasks:
- Create the OU structure for the controlled subtree.
- Set the permissions on the controlled subtree OUs.
- Move service administrator groups to the controlled subtree.
- Move service administrator user accounts to the controlled subtree.
- Move service administrator workstation accounts to the controlled subtree.
- Enable auditing on the controlled subtree OUs.
Creating the OU Structure for the Controlled Subtree
To create the subtree, create three OUs:
- Service Admins, under the domain root, to hold the following two sub-OUs
- Users and Groups, to hold administrative user and group accounts.
- Admin Workstations, to hold administrative workstations.
Requirements
- Credentials: Domain Admins
- Tools: Active Directory Users and Computers
- To create the OU structure for the controlled subtree
- Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.
- In the console tree (left pane), right-click the domain name, point to New, and then click Organizational Unit.
- In the Name box, type Service Admins and click OK.
- In the console tree (left pane), right-click Service Admins, point to New, and then click Organizational Unit.
- In the Name box, type Users and Groups and click OK.
- In the console tree (left pane), right-click Service Admins, point to New, and then click Organizational Unit.
- In the Name box, type Admin Workstations and click OK.
- Verify that your OU hierarchy resembles the following structure, with Service Admins at the level under the domain name, and Users and Groups and Admin Workstations at the level under Service Admins.
.jpg)
Setting the Permissions on the Controlled Subtree OUs
Doing the following can help limit access to the controlled subtree so that only service administrators can administer the membership of service administrator groups and workstations:
- Block inheritance of permissions on the Service Admins OU so that inheritable permission changes that are made higher up in the domain tree are not inherited down, altering the locked-down settings.
- Set the permissions on the Service Admins OU.
Requirements
- Credentials: Domain Admins
- Tools: Active Directory Users and Computers
- To set permissions on the Service Admins OU
- Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.
- On the View menu, select Advanced Features.
- Right-click the Service Admins OU, and then click Properties.
.jpg)
- On the Security tab, click Advanced to view all of the permission entries that exist for the OU.
.jpg)
- Clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here check box.
- In the Security dialog box, click Remove. This removes the permissions that were inherited from the domain.
.jpg)
- Remove the remaining permissions. Select all the remaining permission entries and then click Remove.
- For each group listed in the Name column of the table below, add a permission entry to agree with the Access and the Applies to columns as shown in the table. To add an entry, click Add, then in the Select User, Computer, or Group dialog box, click Advanced. In the expanded dialog box, click Find Now. In the search results box, select the group name and click OK twice. This brings up the Permission Entry dialog box, where you can select the Access and Applies To items to agree with the table.
No comments:
Post a Comment