Segmentation at the Admin Level

The company is not a perfect fortress. Despite a wide range of measures, malware can still break in. Depending on the type of attack, you can suffer a short, hard punch, in which the attacker gets into the company, encrypts as much as they can in the shortest possible time, and demands a ransom, or a slow but steady settling in, wherein the attackers work their way up to the crown jewels of the company, including hijacking admin accounts. The slow approach is a means to an end that provides access to interesting targets.

Administrators need to change the way they work and recognize that, instead of wielding a master key for company IT, they need a key ring: It's all about delegation and tiering. At present, many admins still work with a domain admin account when carrying out their day-to-day business of accessing clients, servers and, of course, the domain controller. This account is very convenient, because domain admins are members of the local group of administrators on every Microsoft system by default user mapping. The members of the local groups on a system can be regulated by group policy. The scope of an administrative account must be kept as tight as possible.

If a client has been hacked and a highly privileged account logs on to this computer, the attacker can hijack the session or use a keylogger to capture the password. High-value admin accounts must therefore be denied login and access to compromised systems.

The first step is usually to break accounts down into client, server, and domain admins. A client admin authorized to manage all clients is still a potential target that is not much smaller than that of a domain admin. After all, they manage all the clients. The solution is to break the accounts down further to the level of individual systems. Microsoft offers the Local Administrator Password Solution (LAPS) for this purpose. From May 2015 to March 2023, an additional piece of software was required, but LAPS became a built-in system component in April 2023 [5] (Figure 2). The tool generates an individual password for a local admin account and documents it in the respective computer object in Active Directory (AD). The scope is therefore limited to the one client, and the password is only valid on the one machine.

Figure 2: Thanks to LAPS, admin passwords can no longer be stolen so easily from managed clients.

Likewise, not every administrator needs to have domain admin rights just because they have to add a computer to AD or reset a password. The directory has always allowed delegation, and consequently rights assignments, similar to the NTFS permissions in the filesystem – but in this case by way of organizational units in the form of levels and objects. Protecting accounts through this type of separation is essential and, incidentally, not a new idea [6]. Microsoft published two PDF files back in 2012 explaining the underlying technology and offering help with the necessary measures [7].

Conclusions

The safeguards for your network must be designed such that attackers are slowed, possibly losing interest, while you endeavor to identify attacks. Segmentation of administrative accounts goes hand in hand with network segmentation. The aim is to prevent lateral movement on a peer level and, above all, escalation into privileged areas. The Windows firewall can be a huge help in combination with group policies. If you manage to prevent a normal client from talking to other clients, then you have already gained a good deal of ground [8]. In addition to the major construction sites mentioned in this article, many other aspects also need to be considered, including patch management and employee training, along with rethinking backup strategies.