Principle of Least Privilege

Hacker attacks are becoming more and more intelligent and, above all, more individual. It is helpful to implement the Principle of Least Privilege in the Active Directory to help prevent your system from being attacked. Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task.

User

Step 1

Create these Users and Groups in AD:

DA - Domain Admin
SA - Server Admin
CA - Client Admin

  • CA-, SA-, DA- User(example: CA-hs2n)
  • gg_ServerAdmin -group; gg_ClientAdmin -group

Step 2

Assignment:

  • CA - User member of gg_ClientAdmin
  • SA - User member of gg_ServerAdmin
  • DA - User member of Domain-admins

Step 3

Create a ClientAdmin Policy OR if you imported a policy, edit gg_ClientAdmin-

Link the policy to all your Client OrganisationUnits

For testing purposes do NOT use the option "Remove Members: Domain-Admins" in the first step After you made sure that the policy works correctly and you have access to the clients with your previously created CA-admin users, edit the policy and add the option "Remove Members: Domain-Admins"

IMPORTANT:

As per default new domains that join Computerobjects are created in the group "Computers"
THIS IS NOT A OU, IT IS A GROUP!
A group can not be linked to a Policy - You have to Create a new OU and make it default for any new domain joining Computerobjects. To do so, start a Powershell as an administator:

Admin Powershell

Use the following commands:

redircmp <NEW OrganisationUnit>

redircmp „ou=NewComputer, DC=Testdomain, DC=local“

To check the default path use the following command:

get-addomain | fl computer*, user*

CAA

Step 4

Create a ServerAdmin Policy OR if you imported a policy edit gg_ServerAdmin.

Link the policy to all your Client OrganisationUnits.

For testing purposes do NOT use the option "Remove Members: Domain-Admins" in the first step After you made sure that the policy works correctly and you have access to your servers with the SA-admin users you poreviously created, edit the policy and add the option "Remove Members: Domain-Admins"

CAA

Step 5

To make sure that the previously created users can only log on to their intended devices(Servers, DC, Clients):

  • DA-users: only allowed to log on DC, not on other Servers, not on Clients
  • SA-users: only allowed to log on Servers, not on DC, not on Clients
  • CA-users: only allowed to log on Clients, not on DC, not on Servers We have to apply the following GPOs:
  1. For DA-Users

CAA

Link this GPO to all OU with ComputerObjects and MemberServerObjects.

  1. For SA-Users

CAA

Link this GPO to all OU with ComputerObjects and DomainControllers.

  1. For CA-User:

CAA

Link this GPO to all OU with DomainControllers and MemberServerObjects.

LAPS