« Previous 1 2 3
Protect privileged accounts in AD
Highly Confidential
Conclusions
Protected Users and authentication policies allow highly granular control of the user login for highly privileged accounts. Because these mechanisms act directly on the Kerberos protocol, they are more robust against unwanted changes than other approaches used to influence login behavior. Accounts are managed by the AD Management Center or PowerShell and are distinguished between User, Computer, and Service (gMSA) accounts.
Even these new ways of securing for highly privileged accounts do not relieve you of the responsibility of implementing the least privileges principle and carefully monitoring login behavior in your environment.
Infos
- gMSA: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
- klist: https://web.mit.edu/kerberos/krb5-devel/doc/user/user_commands/klist.html
- whoami documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Making Kerberoasting uneconomical
A method known as Kerberoasting is an exploitation technique of the Kerberos authentication protocol. We take a closer look at the available safeguards and detection measures against this attack. - Windows Update Causes Authentication Failures
-
Focusing on security in Active Directory
To prevent an intruder attack in Active Directory, Windows Server's security features along with freeware monitoring can save the day. -
New administration options on Windows Server 2016
Redmond is set to launch the next-generation Windows Server 2016. Microsoft promises to make administration more secure, which is a good enough reason to take a closer look at the new Privileged Access Management feature. -
Microsoft Network Policy Server
Redmond's RADIUS implementation connects systems and provides secure authorization and logging.