securing active directory administrative groups and accounts

7/30/2019 Securing Active Directory Administrative Groups and Accounts

1/27

Securing Active Directory Administrative

Groups and Accounts

55 out of 66 rated this helpful -Rate this topic

On This Page

Introduction

Before You Begin

Creating a New User Account with Domain Admins CredentialsProtecting the Administrator Account

Securing the Guest Account

Strengthening Security on Service Administration Accounts and Groups

Establishing Best Practices for Use of Administrative Accounts and GroupsRelated Information

Introduction

An important part of securing your network is managing the users and groups that have

administrative access to the Active Directory directory service. Malicious individuals who obtain

administrative access to Active Directory domain controllers can breach the security of yournetwork. These individuals might be unauthorized users who have obtained administrative

passwords, or they might be legitimate administrators who are coerced or disgruntled.

Furthermore, not all problems are caused with malicious intent. A user who is grantedadministrative access might also inadvertently cause problems by failing to understand the

ramifications of configuration changes. For these reasons, it is important to carefully manage theusers and groups that have administrative control over domain controllers.

The default Microsoft Windows Server 2003 security settings are sufficient to secure Active

Directory accounts against many types of threats. However, some default settings foradministrative accounts can be strengthened to enhance the level of security of your network.

This guide contains step-by-step instructions that show you how to:

Create a new user account with Domain Admins credentials Protect the default Administrator account Secure the Guest account Strengthen security on service administration accounts and groups Establish best practices for use of administrative accounts and groups.

Use the best practices described in this guide as you manage your network. This will help reduce

the risk of unauthorized users gaining administrative access to Active Directory, and maliciouslyor accidentally damaging your organization by copying or deleting confidential data or by

disabling your network.
http://technet.microsoft.com/en-us/library/cc700835.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700835.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700835.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection121121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection121121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection121121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#feedback


2/27

IMPORTANT: All the step-by-step instructions included in this document were developed by

using the Start menu that appears by default when you install your operating system. If you have

modified your Start menu, the steps might differ slightly.

Top Of Page

Before You Begin

Before using this guide to secure your administrative groups and accounts, first complete thetasks in "Securing Windows Server 2003 Domain Controllers" in the Security Guidance Kit.

In order to complete the procedures provided in this guide, you must know the name andpassword of the built-in administrator account, or the name and password of an account that is a

member of the built-in Administrators group on your domain controllers. Determine which

server (or servers) on your network are running as domain controllers. A domain controller is a

server running Windows Server 2003 on which Active Directory is installed.

Before you begin, you must understand these administrative accounts and groups and howadministrative responsibility is shared by service administrators and data administrators. To view

and manage Active Directory accounts and groups, clickStart, then select AdministrativeTools, and then clickActive Directory Users and Computers.

Understanding Administrative Accounts and Groups

Administrative accounts in an Active Directory domain include:

The Administrator account, which is created when Active Directory is installed on thefirst domain controller in the domain. This is the most powerful account in the domain.The person who installs Active Directory on the computer creates the password for this

account during installation. Any accounts that you later create and either place in a group that has administrative

privileges or directly assign administrative privileges.

Administrative groups in an Active Directory domain vary depending on the services that you

have installed in your domain. Those used specifically for administering Active Directory

include:

Administrative groups that are automatically created in the Builtin container.

Administrative groups that are automatically created in the Users container. Any groups that you later create and either place in another group that has administrative

privileges or directly assign administrative privileges.

Understanding Service Administrators and Data Administrators

For Active Directory in Windows Server 2003, there are two types of administrativeresponsibility. Service administrators are responsible for maintaining and delivering the directory
http://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSection


3/27

service, including domain controller management and directory service configuration. Data

administrators are responsible for maintaining the data that is stored in the directory service and

on domain member servers and workstations.

In a small organization, these two roles might be performed by the same person, but it is

important to understand which default accounts and groups are service administrators. Serviceadministration accounts and groups have the most widespread power in your network

environment and require the most protection. They are responsible for directory-wide settings,

installation and maintenance of software, and application of operating system service packs andupdates on domain controllers.

The following table lists the default groups and accounts that are used for service administration,their default locations, and a brief description of each. Groups in the Builtin container cannot be

moved to another location.

Default Service Administrator Groups and Accounts

Group or

Account Name

Default

LocationDescription

Enterprise

Admins

Users

container

This group is automatically added to the Administrators group in

every domain in the forest, providing complete access to theconfiguration of all domain controllers.

Schema AdminsUsers

container

This group has full administrative access to the Active Directory

schema.

AdministratorsBuiltincontainer

This group has complete control over all domain controllers and

all directory content stored in the domain, and it can change themembership of all administrative groups in the domain. It is the

most powerful service administrative group.

Domain AdminsUserscontainer

This group is automatically added to the correspondingAdministrators group in every domain in the forest. It has

complete control over all domain controllers and all directory

content stored in the domain and it can modify the membership

of all administrative accounts in the domain.

Server OperatorsBuiltincontainer

By default, this built-in group has no members. It can perform

maintenance tasks, such as backup and restore, on domain

controllers.

AccountOperators

Builtincontainer

By default, this built-in group has no members. It can create and

manage users and groups in the domain, but it cannot manageservice administrator accounts. As a best practice, do not add

members to this group, and do not use it for any delegated

administration.

Backup

Operators

Builtin

container

By default, this built-in group has no members. It can perform

backup and restore operations on domain controllers.

DS Restore Not stored This special account is created during the Active Directory


4/27

ModeAdministrator

in ActiveDirectory

installation process, and it is not the same as the Administratoraccount in the Active Directory database. This account is onlyused to start the domain controller in Directory Services Restore

Mode. In Directory Services Restore Mode, this account has full

access to the system and all files on the domain controller.

The accounts and groups listed in this table and all members of these groups are protected by abackground process that periodically checks and applies a specific security descriptor, which is a

data structure that contains security information associated with a protected object. This process

ensures that any successful unauthorized attempt to modify the security descriptor on one of the

administrative accounts or groups will be overwritten with the protected settings.

This security descriptor is present on the AdminSDHolder object. This means that if you want to

modify the permissions on one of the service administrator groups or on any of its memberaccounts, you must modify the security descriptor on the AdminSDHolder object so that it will

be applied consistently. Be careful when making these modifications because you are also

changing the default settings that will be applied to all of your protected administrative accounts.For more information about modifying permissions on service administrator accounts, see "BestPractice Guide for Securing Active Directory Installations" (Windows Server 2003) on the

Microsoft Web site athttp://go.microsoft.com/fwlink/?LinkId=22342.

Top Of Page

Creating a New User Account with Domain Admins Credentials

If you do not already have a user account that is a member of the Domain Admins group, other

than the default Administrator account, create one that you will use to perform the tasks in this

guide. As the administrator of your network, you will use this new account only when you needto perform tasks that require Domain Admin credentials. Do not remain logged on with this

account after you finish performing these tasks. If the computer contracts a virus while a domainadministrator is logged on, the virus runs in the context of that domain administrator. In this way,

the virus could use the administrator's privileges to infect the workstation and the rest of the

network. Create another user account for data management and day-to-day use such as runningMicrosoft Office and sending and receiving e-mail, but do not add that user account to the

Domain Admins group. Secure practices for creation and use of administrative accounts are

described later in this paper.

Requirements

Credentials: Domain Admins (if this is the first administrative account you have created,log on by using the default Administrator account)

Tools: Active Directory Users and Computers To create a new user account with Domain Admins credentials

1. Log on as a member of the Domain Admins group, and then open ActiveDirectory Users and Computers.
http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342


5/27

Note: Screenshots in this document reflect a test environment and the information

might differ from the information displayed on your computer.

2. Right-click the Users container, clickNew, and then clickUser.

3. Type the First name, Last name, and User logon name, and then clickNext. Asshown in the example, you might want to follow a naming convention for namingyour administrative accounts. For example, you might decide to append "?ALT"

to the name of the administrative user to arrive at the logon name for the

administrative account.


6/27

4. Type and confirm the user password, clear the User must change password atnext logon check box, and then clickNext.

5. Review the account information and then clickFinish.6. With the Users container selected, in the details pane (right pane), double-click

the Domain Admins group.

7. Click the Members tab.


7/27

8. ClickAdd and then, in the Select Users, Contacts, or Computers dialog box,type the user logon name of the administrative account you just created, and then

clickOK.

9. Verify that your new account appears as a member of the Domain Admins group.


8/27

Top Of Page

Protecting the Administrator Account

Every installation of Active Directory has an account named Administrator in each domain. This

account cannot be deleted or locked out. In Windows Server 2003, the Administrator account canbe disabled, but it is automatically re-enabled when you start the computer in Safe Mode.

A malicious user attempting to break into a system would typically start by attempting to try toobtain the password for the all-powerful Administrator account. For this reason, rename it and

change the text in the Description to eliminate anything that indicates that this is the

Administrator account. In addition, create a decoy user account called Administrator that has nospecial permissions or user rights.

Always give the Administrator account a long, complex password. Use different passwords forthe Administrator and DS Restore Mode Administrator accounts. For more information about

creating complex passwords, see "Selecting Secure Passwords" in the Security Guidance Kit.

Renaming the Default Administrator Account

This procedure removes any obvious information that can alert attackers that this account haselevated privileges. Although an attacker that discovered the default Administrator account

would still need the password to use it, renaming the default Administrator account adds an

additional layer of protection against elevation of privilege attacks. Use a fictitious first and lastname, in the same format as your other user names. Do not use the fictitious name shown in the

example below.


9/27

Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To rename the default Administrator account


2. In the console tree (left pane), clickUsers.3. In the details pane (right pane), right-clickAdministrator, and then click

Rename.

4. Type the fictitious first and last name and press Enter.5. In the Rename User dialog box, change the Full name, First name, Last name,

Display name, User logon name, and User logon name (pre-Windows 2000)values to match your fictitious account name, and then clickOK.


10/27

6. In the details pane (right pane), right-click the new name, and then clickProperties.

7.

On the General tab, delete the Description "Built-in account for administeringthe computer/domain" and type in a description to resemble other user accounts

(for many organizations, this will be blank).

8. On the Account tab, verify that the logon names are correct.Note: This procedure changes only the default Administrator account's logon

name and account details, which someone can see if they manage to enumerate a

list of accounts on your system. This procedure does not affect the ability to use


11/27

the DS Restore Mode Administrator account to start Directory Services Restore

Mode, as they are two different accounts.

Creating a Decoy Administrator Account

This procedure adds an additional layer of protection when you hide the default Administratoraccount. An attacker planning a password attack on the Administrator account can be fooled into

attacking an account with no special privileges.

Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To create a decoy Administrator account


2. Right-click the Users container, clickNew, and then clickUser.3. In First name and User logon name, type Administrator and then clickNext.

4. Type and confirm a password.5. Clear the User must change password at next logon check box.


12/27

6.

Verify that the decoy account is created and clickFinish.

7. In the details pane (right pane), right-clickAdministrator, and then clickProperties.

8. On the General tab, in the Descriptionbox, type Built-in account foradministering the computer/domain, and then clickOK.

Top Of Page

Securing the Guest Account

The Guest account allows users who do not have an account in your domain to log on to the

domain as a guest. This account is disabled by default, and should remain disabled, but hiding


13/27

the account adds an additional layer of protection against unauthorized access. Use a fictitious

first and last name, in the same format as your other user names.

Requirements

Credentials: Domain Admins

Tools: Active Directory Users and Computers To rename the Guest account


2. In the console tree (left pane), clickUsers.3. In the details pane (right pane), right-clickGuest, and then clickRename.4. Type the fictitious first and last name and press Enter.5. Right-click the new name, and then clickProperties.6. On the General tab, delete the Description "Built-in account for guest access to

the computer/domain" and type in a description to resemble other user accounts(for many organizations, this will be blank).

7. In the First name and Last nameboxes, type the fictitious names.8. On the Account tab, type a new User logon name, using the same format you use

for your other user accounts, for example, first initial and last name.

9. Type this same new logon name in the User logon name (pre-Windows 2000)box, and then clickOK.

10.Verify that the account is disabled. The icon should appear with a red X over it. Ifit is enabled, right-click the new name, and then clickDisable Account.

Top Of Page

Strengthening Security on Service Administration Accounts and Groups

Creating a controlled organizational unit (OU) subtree in Active Directory and configuring it

with its recommended security settings can help provide a more secure environment for serviceadministrator accounts and workstations.

OUs are containers within domains that can contain other OUs, users, groups, computers, and

other objects. These OUs and sub-OUs form a hierarchical structure within a domain, and are

primarily used to group objects for management purposes.

By creating a subtree containing all service administrator accounts and the administrativeworkstations that they use, you can apply specific security and policy settings to maximize their

protection.

To create the controlled subtree, perform the following tasks:

1. Create the OU structure for the controlled subtree.2. Set the permissions on the controlled subtree OUs.


14/27

3. Move service administrator groups to the controlled subtree.4. Move service administrator user accounts to the controlled subtree.5. Move service administrator workstation accounts to the controlled subtree.6. Enable auditing on the controlled subtree OUs.

Creating the OU Structure for the Controlled Subtree

To create the subtree, create three OUs:

Service Admins, under the domain root, to hold the following two sub-OUso Users and Groups, to hold administrative user and group accounts.o Admin Workstations, to hold administrative workstations.

Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To create the OU structure for the controlled subtree


2. In the console tree (left pane), right-click the domain name, point to New, andthen clickOrganizational Unit.

3. In the Namebox, type Service Admins and clickOK.4. In the console tree (left pane), right-clickService Admins, point to New, and then

clickOrganizational Unit.

5. In the Namebox, type Users and Groups and clickOK.6. In the console tree (left pane), right-clickService Admins, point to New, and then

clickOrganizational Unit.

7. In the Namebox, type Admin Workstations and clickOK.8. Verify that your OU hierarchy resembles the following structure, with Service

Admins at the level under the domain name, and Users and Groups and Admin

Workstations at the level under Service Admins.


15/27

Setting the Permissions on the Controlled Subtree OUs

Doing the following can help limit access to the controlled subtree so that only service

administrators can administer the membership of service administrator groups and workstations:

Block inheritance of permissions on the Service Admins OU so that inheritablepermission changes that are made higher up in the domain tree are not inherited down,altering the locked-down settings.

Set the permissions on the Service Admins OU.Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To set permissions on the Service Admins OU


2. On the View menu, select Advanced Features.3. Right-click the Service Admins OU, and then clickProperties.


16/27

4. On the Security tab, clickAdvanced to view all of the permission entries thatexist for the OU.

5. Clear the Allow inheritable permissions from the parent to propagate to thisobject and all child objects. Include these with entries explicitly defined herecheck box.


17/27

6. In the Security dialog box, clickRemove. This removes the permissions that wereinherited from the domain.

7. Remove the remaining permissions. Select all the remaining permission entriesand then clickRemove.

8. For each group listed in the Name column of the table below, add a permissionentry to agree with the Access and the Applies to columns as shown in the table.

To add an entry, clickAdd, then in the Select User, Computer, or Group dialogbox, clickAdvanced. In the expanded dialog box, clickFind Now. In the searchresults box, select the group name and clickOKtwice. This brings up the

Permission Entry dialog box, where you can select the Access and Applies To

items to agree with the table.

Permission Settings for the Service Admins OU

Type Name Access Applies To

Allow SYSTEM Full ControlThis object and all child

objects

Allow Enterprise Admins Full ControlThis object and all child

objects

Allow Domain Admins Full ControlThis object and all child

objects

Allow Administrators Full ControlThis object and all child

objects

AllowPre-Windows 2000

Compatible Access

List Contents

Read AllProperties

Read

Permissions

User objects

AllowPre-Windows 2000Compatible Access

List ContentsRead All

Properties

ReadPermissions

InetOrgPerson objects

Allow Enterprise Domain Controllers List Contents This object and all child


18/27

Read AllPropertiesRead

Permissions

objects

Allow Authenticated Users

List Contents

Read AllProperties

Read

Permissions

This object and all child

objects

Moving Service Administrator Groups into the Users and Groups OU

Move the following service administrator groups from their current location in the directory into

the Users and Groups OU in your controlled subtree:

Domain Admins and any nested subgroups. Enterprise Admins and any nested subgroups. Schema Admins and any nested subgroups. Any groups that are nested in the domain's Administrators, Server Operators, Backup

Operators, or Account Operators groups.

Any group that has delegated rights that effectively grant its users service administratorrights.

The built-in groups (Administrators, Server Operators, Account Operators, and Backup

Operators) cannot be moved from their default container to the controlled subtree. However,

built-in groups are protected by default in Windows Server 2003 by AdminSDHolder.

If your organization has not created any nested subgroups or delegated service administrationrights to any group, you will need to move only Domain Admins, Enterprise Admins, and

Schema Admins.

Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To move service administrator groups into the Users and Groups OU


2. In the console tree (left pane), clickUsers.3. In the details pane (right pane), right-clickDomain Admins, and then click

Move.4. In the Movebox, double-clickService Admins, clickUsers and Groups, and

then clickOK.

5. Verify that the Domain Admins group is now in the Users and Groups OU.


19/27

6. Repeat the procedure for all service administrator groups listed above. Note that ifyou have nested groups under builtin groups such as Administrators, or groupsyou previously created and assigned administrative privileges, their original

location might not be the Users container.

Moving Service Administrator User Accounts into the Users and Groups OU

Move the following user accounts from their current locations in the directory into the Users and

Groups OU in your controlled subtree:

All administrative user accounts that are members of any of the service administratorgroups listed in the Default Service Administrator Groups and Accounts table. Thisincludes the domain Administrator account (which you previously renamed.)

The decoy administrator account that you created in an earlier procedure in this guide.As recommended, each service administrator should have two accounts: one for serviceadministration duties and one for data administration and typical user access. Place the

administrative user accounts in the Users and Groups OU in your controlled subtree. If these

accounts already exist elsewhere in the directory, move them into the subtree now. The regular

user accounts for those administrators should not be placed in this controlled subtree. Regularuser accounts will remain in their original location: in the Users container, or in an OU used by

your organization to hold user accounts.

Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To move service administrator accounts into the Users and Groups OU


20/27


2. In the console tree (left pane), clickUsers.3. In the details pane (right pane), right-click the name of your renamed

administrator account, and then clickMove.

4.

In the Movebox, double-clickService Admins, clickUsers and Groups, andthen clickOK.5. Verify that the account is now in the Users and Groups OU.6. Repeat the procedure for all service administrator accounts listed above. Note that

if you have previously created administrative accounts or other OUs, their originallocation might not be the Users container.

Moving Administrative Workstation Accounts into the Admin Workstations OU

Move the computer accounts for workstations used by administrators into the Admin

Workstations OU in your controlled subtree.

IMPORTANT: Do not move any domain controller accounts out of the default Domain

Controllers OU, even if some administrators log on to them to perform administrative tasks.Moving these accounts will disrupt the consistent application of domain controller policies to all

domains.

Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To move service administrative workstation accounts into the Admin Workstations

OU1. Log on as a member of the Domain Admins group, and then open Active

Directory Users and Computers.2. In the console tree (left pane), clickComputers.3. In the details pane (right pane), right-click the name of a workstation used by an

administrator, and then clickMove.4. In the Movebox, double-clickService Admins, clickAdmin Workstations, and

then clickOK.

5. Verify that the computer account is now in the Admin Workstations OU.6. Repeat the procedure for all administrative workstations.

Enable Auditing on the Controlled Subtree

Auditing and tracking additions, deletions, and changes to the service administrator accounts,

workstations, and policies can help identify improper or unauthorized changes that are frequent

indicators of unauthorized actions or attempts to gain unauthorized access to your system.Assuming that you have enabled auditing on your domain controllers in accordance with the

recommendations in "Securing Windows Server 2003 Domain Controllers" in the Security

Guidance Kit, enabling auditing on the Service Admins OU creates a security audit log that


21/27

tracks such changes. Monitoring the security audit log for changes to the controlled subtree and

verifying that the changes are legitimate can help identify unauthorized use. To access the

security audit log, clickStart, point to Administrative Tools, clickEvent Viewer, and thenclickSecurity.

Requirements

Credentials: Domain Admins Tools: Active Directory Users and Computers To enable auditing on the controlled subtree


2. On the View menu, select Advanced Features.3. Right-click the Service Admins OU, and then clickProperties.4. On the Security tab, clickAdvanced, and then select the Auditing tab to view

the current auditing settings that exist for the OU. Note that in this example, the

current settings are both inherited from the domain.

5. ClickAdd to create an auditing entry that will apply to the Service Admins OUand its child OUs.

6. In the Enter the object name to select box, type Everyone and clickOK.


22/27

7. In the Accessbox, select both Successful and Failed for the Access items shownin the table below, and then clickOK. Note that when you select some check

boxes, other access items are selected automatically. These should not bechanged.

Auditing Settings on the Service Admins OU

Type Name Access Applies ToAll Everyone Write All Properties This object and all child objects

All Everyone Delete This object and all child objects

All Everyone Delete Subtree This object and all child objects

All Everyone Modify Permissions This object and all child objects

All Everyone Modify Owner This object and all child objects

All Everyone All Validated Writes This object and all child objects


23/27

All Everyone All Extended Rights This object and all child objects

All Everyone Create All Child Objects This object and all child objects

All Everyone Delete All Child Objects This object and all child objects

Top Of Page

Establishing Best Practices for Use of Administrative Accounts and Groups

Establishing the following best practices for use of administrative accounts and groups can helpreduce the likelihood that your computers and network will be affected by unauthorized users

gaining access to an account with elevated access rights or legitimate users unintentionally

disrupting your network through ill-informed use of their administrative rights:

Limit the number of service administrator accounts Separate administrative and user accounts for administrative users Assign trustworthy personnel Limit administrator rights to those rights that are actually required Control the administrative logon process Secure service administrator workstations Understand data delegation

Limiting the Number of Service Administrator Accounts

Keeping the membership of service administrator accounts to the absolute minimum that is

necessary to support your organization is a key way to limit unauthorized use. For smallorganizations, two accounts that are members of the Domain Admins group is typically

sufficient. Limiting these memberships reduces the number of possible administrative accounts

that can be compromised by malicious users. Tasks that are performed by service administrators

should be limited to changing the Active Directory service configuration and reconfiguringdomain controllers.

Do not use service administrator accounts for day-to-day administrative tasks, such as account

and member server management; instead, use your regular user account.

To use your regular user account for account and member server management, you can place the

objects to be managed in a separate OU, and then make your regular user account a member of a

group with permissions to manage that OU.

Domain Admins credentials are required to perform the following steps:

1. Create an OU under the domain root called Data. Use this OU to hold all objects that youwant to be managed by data administrators, for example, regular users, their

workstations, and member servers.

Note: You might also want to create at least two OUs within the Data OU, one called

Users and another called Computers, and move all user and computer accounts from the


24/27

Users and Computers containers into these respective OUs. Moving the objects to OUs

allows you to apply Group Policy. You can also create your own OU model to meet your

delegation and Group Policy application requirements.

2. Create another OU under the domain root called Data Admins.3.

In the Data Admins OU, create a Domain Local Security Group called domain_nameData Admins, for example, Contoso Data Admins. Members of this group are

responsible for management of data in the Data OU.

4. Modify the existing permissions on the Data OU as follows:o Remove all permissions granted to Account Operators and Print Operators.o Add the following entry:

Type Name Access Applies To

Allow Data Admins Full Control This object and all child objects

5. Move the regular user account that you created for your domain administrator to the DataOU.

6. Add the account to the domain_nameData Admins security group.7. If you later want to delegate data management to additional administrators, create their

user accounts in the Data Admins OU and add their user accounts to the domain_name

Data Admins security group.

Separating Administrative and User Accounts for Administrative Users

For each user who fills a service administrator role, create two accounts: one regular user

account to be used for normal tasks and data administration, and one service administrative

account to be used only for performing service administration tasks. The service administration

account should not be mail enabled or used for running applications that are used every day, suchas Microsoft Office, or for browsing the Internet. Always give the two accounts different

passwords. These precautions reduce the exposure of the accounts to the outside world, and theyreduce the amount of time that administrative accounts are logged on to the system.

Assigning Trustworthy Personnel

Service administrators control the configuration and functioning of the directory service.

Therefore, this responsibility should be given only to reliable, trusted users who havedemonstrated responsible ownership and who fully understand the operation of the directory.

They should be completely familiar with your organization's policies regarding security and

operations, and they should have demonstrated their willingness to enforce those policies.

Limiting Administrator Rights to Those Rights That Are Actually Required

Active Directory contains a Backup Operators built-in group. Members of this group are

considered to be service administrators because members of the group have the privilege to log

on locally and restore files, including the operating system files, on domain controllers.


25/27

Membership in the Backup Operators group in Active Directory should be limited to those

individuals who back up and restore domain controllers.

All member servers also contain a Backup Operators built-in group that is local to each server.

Individuals who are responsible for backing up applications on a member server (for example,

Microsoft SQL Server) should be made members of the local Backup Operators group on thatserver. These users should not be members of the Backup Operators group in Active Directory.

On a server that is dedicated to the domain controller role, you can reduce the number ofmembers in the Backup Operators group. If possible, domain controllers should be dedicated, but

in smaller organizations a domain controller might be used to run other applications. In this case,

users who are responsible for backing up applications on the domain controller must also betrusted as service administrators because they have the privileges that enable them to restore

files, including the system files, on domain controllers.

Avoid using the Account Operators group for strictly delegating a "data administration" task,

such as account management. The default directory permissions give this group the ability tomodify the computer accounts of domain controllers, including deleting them. By default, there

are no members of the Account Operators group, and its membership should be left empty.

Controlling the Administrative Logon Process

The members of the Administrators, Enterprise Admins, and Domain Admins groups represent

the most powerful accounts in your domain. To minimize security risks, you may want to takeadditional steps to enforce strong administrative credentials, such as requiring smart cards for

administrative logon, or requiring two forms of identification, with each form held by a different

administrator. These additional precautions are covered in "Best Practice Guide for Securing

Active Directory Installations" (Windows Server 2003) on the Microsoft Web site athttp://go.microsoft.com/fwlink/?LinkId=22342.

Securing Service Administrator Workstations

In addition to limiting access to resources that are stored on the domain controllers and access toinformation that is stored in the directory, you can also enhance security by strictly controlling

the workstations that are used by service administrators for administrative functions. Service

administrators should only log on to well-managed computers, meaning that all security updates

are applied and up to date virus software is installed. If you use service administrator credentialson a computer that is not well-managed, you run the risk of compromising the credentials if that

computer has been breached by a malicious individual.

For more information about how to restrict administrators to specific workstations and additional

precautions, see "Best Practice Guide for Securing Active Directory Installations" (Windows

Server 2003) on the Microsoft Web site athttp://go.microsoft.com/fwlink/?LinkId=22342.

Understanding Data Delegation
http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342http://go.microsoft.com/fwlink/?LinkId=22342


26/27

In a small organization, it is likely that there are only one or two administrative users, so data

delegation may not be needed. However, as your organization grows, you might want to

designate data administrators and delegate portions of data administration to them. Dataadministrators are responsible for managing data that is stored in the directory and on computers

that are members of the domain. Data administrators have no control over the configuration and

delivery of the directory service itself; they control subsets of objects in the directory. Usingpermissions on objects that are stored in the directory, it is possible to limit the control of a givenadministrator account to very specific areas of the directory. Data administrators also manage

computers (other than domain controllers) that are members of their domain. They manage local

resources, such as print and file shares on local servers, and they also manage the group and useraccounts for their own part of the organization. Data administrators can perform all of their

responsibilities from management workstations, and they do not need physical access to domain

controllers.

Delegation of data administration is accomplished by creating groups, granting the appropriate

user rights and permissions to those groups, and applying Group Policy settings to the members

of those groups. After these steps are complete, delegation is a matter of adding user accounts tothe groups that are created. The critical part of this operation is granting proper access and

applying the proper policies, based on the principle of least privilege, to maximize security,while still allowing administrators to perform their delegated functions.

For more information about delegating data administration, see "Best Practices for Delegating

Active Directory Administration" on the Microsoft Web site athttp://go.microsoft.com/fwlink/?LinkId=22707.

Top Of Page

Related Information

For more information about securing Active Directory, see the following: Securing Windows Server 2003 Domain Controllers" in the Security Guidance Kit. Best Practice Guide for Securing Active Directory Installations" (Windows Server 2003)

on the Microsoft Web site at/downloads/details.aspx?FamilyID=4e734065-3f18-488a-

be1e-f03390ec5f91&DisplayLang=en.

"Best Practices for Delegating Active Directory Administration" on the Microsoft Website at/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.

mspx.

For more general information about builtin accounts and migrating from Microsoft Windows NT

4.0 to Active Directory, see the following:

"Default Groups" on the TechNet Web site attechnet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-

94a62f8846cf1033.mspx?mfr=true.
http://go.microsoft.com/fwlink/?LinkId=22707http://go.microsoft.com/fwlink/?LinkId=22707http://go.microsoft.com/fwlink/?LinkId=22707http://go.microsoft.com/fwlink/?LinkId=22707http://go.microsoft.com/fwlink/?LinkId=22707http://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=enhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://go.microsoft.com/fwlink/?LinkId=22707http://go.microsoft.com/fwlink/?LinkId=22707http://go.microsoft.com/fwlink/?LinkId=22707


27/27

"Migrating from Windows NT Server 4.0 to Windows Server 2003" on the MicrosoftWeb site at/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-

19544062a6e6&DisplayLang=en.
http://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&DisplayLang=en

securing active directory administrative groups and accounts

Documents