just a quick question, I've recently found quite bad overuse of domain admin priv's accross our network by admins. I've performed a POC by using Incognito and successfully added a new account from a standard account into the domain admins via tokens.
I've read the paper for this, as included in unleashed\bt type materials. So I will be trying to implement better policy to control overuse and highlight the dangers to why Domain admins needs reducing.
I'm currently going through a best practise windows 7 hardening document and it mentions using User Account Control (UAC)
would this be a mitigation or risk reduction in an attack like incognito? My feelings are it could help remove the dash attitude of just logging in as admin and therefore reducing the amount of tokens hanging around.
Granted the real problem is a culture shift and AD structure\ least priv permissions themes, but its still useful.
Any opinions or experiences welcome...