« Previous 1 2 3
Protect privileged accounts in AD
Highly Confidential
Conclusions
Protected Users and authentication policies allow highly granular control of the user login for highly privileged accounts. Because these mechanisms act directly on the Kerberos protocol, they are more robust against unwanted changes than other approaches used to influence login behavior. Accounts are managed by the AD Management Center or PowerShell and are distinguished between User, Computer, and Service (gMSA) accounts.
Even these new ways of securing for highly privileged accounts do not relieve you of the responsibility of implementing the least privileges principle and carefully monitoring login behavior in your environment.
Infos
- gMSA: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
- klist: https://web.mit.edu/kerberos/krb5-devel/doc/user/user_commands/klist.html
- whoami documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)