|
Title: How to protect Domain Admin? Post by: Eleven on November 27, 2012, 08:47:02 PM It seems the thing to do in detection now-a-days is to sweep the network looking for bad guys by collecting data off individual computers in the network. For example, running various WMIC queries across a domain; with a domain admin account. But as you guys know, that's apparently not a good idea with Windows storing password hashes and even clear text passwords in memory. So how can those responsible for finding compromised boxes avoid giving attackers domain admin?
Title: Re: How to protect Domain Admin? Post by: Dark_Knight on November 27, 2012, 08:57:00 PM I knew I read about this somewhere before....have a look at this
http://computer-forensics.sans.org/blog/2012/02/21/protecting-privileged-domain-account-safeguarding-password-hashes Title: Re: How to protect Domain Admin? Post by: Eleven on November 27, 2012, 09:01:45 PM Wow, I guess I somehow missed that blog post... thanks. :)
Title: Re: How to protect Domain Admin? Post by: ajohnson on November 27, 2012, 09:52:31 PM For something like the scenario you mentioned, you should create a group that only has the permissions necessary to perform WMIC queries (or whatever it is you need to do). Then, create restricted user accounts and add them to that group as necessary. You don't need to be a domain admin to perform those types of activities. It's just easy and convenient to use domain admins for everything, and people are lazy.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |