How To Give Service Account 'local Admin' Rights On Domain Controller?

Mar 21 2019

In that location'southward Something About Service Accounts

Service accounts are that gray expanse between regular user accounts and admin accounts that are oft highly privileged. They are almost e'er over-privileged due to documented vendor requirements or because of operational challenges ("just make it work").

We can discover service accounts by looking for user accounts with Kerberos Service Principal Names (SPNs) which I call SPN Scanning. Service accounts without SPNs tin as well be discovered by querying Advertisement accounts for 'SVC', or 'Service', or common vendor product names.

The following PowerShell commands require the Active Directory PowerShell module.

Notice service accounts (user accounts with SPNs):

get-aduser -filter {ServicePrincipalName -like "*"} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

Observe likely AD Admin accounts (user accounts with AdminCount fix to 1):

get-aduser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf

While Domain Admins is the most normally used AD admin group, there are several others that could be used.

Common privileged Advertisement groups that may contain Service Accounts:

• Administrators
  • Full administrative rights to the Advertizing domain and Domain Controllers.
• Domain Admins
  • Full administrative rights to computers joined to the domain (default) and full authoritative rights to the Advertisement domain and DCs (through membership in the Administrators group).
• Backup Operators
  • Default rights to fill-in and restore Active Directory and Domain Controllers.
• Server Operators
  • Able to logon to Domain Controllers and provides ability to perform some authoritative actions on Domain Controllers.
• Enterprise Admins
  • Full administrative rights to all domains and Domain Controllers in the Advert forest (through membership in the Administrators grouping). Also has special forest admin rights such equally DHCP. In a single domain forest, this group should remain empty until needed.
• Schema Admins
  • Able to modify the AD schema for the forest. This group should remain empty until needed.

Rarely does a service account actually crave Domain Admin level rights.
I reviewed vendor documentation across multiple products and establish that there were many things in mutual.

Eventually a design emerged…

When we perform Agile Directory Security Assessments for customers, we nearly always notice service accounts in Domain Admins (and sometimes other privileged Advert groups) and assistance the customer (and sometimes the vendor) effigy out how to reduce the rights for the service account so it can be removed from Domain Admins.

Common Service Accounts in Domain Admins (or other Ad Admin groups):

• Microsoft AGPM
  • Used to manage grouping policy objects (GPOs) in AD. This account does not need to be in Domain Admins or a highly privileged Advertisement group.
  • Delegation guidance: https://blogs.technet.microsoft.com/askds/2008/12/sixteen/agpm-to the lowest degree-privilege-scenario/
• Altiris/ADBackup/Backup/BackupExec/CommVault/NetBackup/etc
  • Backing upwards AD (and/or Domain Controllers) merely requires membership in the Backup Operators group in Advertizing. This group is specific to Active Directory and does not provide backup rights to other systems in the domain (default). These accounts should not require membership in Domain Admins. The caveat to this is that in that location are scenarios where a fill-in service account may require more rights than existence a fellow member of Backup Operators, such every bit when restoring user attributes in AD. This is for more advanced restoration scenarios and AD fill-in accounts should merely be a fellow member of the Backup Operators group (not Domain Admins) to beginning.
  • Service accounts that fill-in anything other than Advert or DCs does not crave membership in the Advert Fill-in Operators group.
• Archive
  • Typically an Exchange service account for archiving Exchange mailboxes. At that place is no reason for an Exchange related service account to exist a fellow member of privileged AD groups.
• AV/McAfee/Trend
  • AV service accounts never need Domain Admin rights.
• Azure
  • This account may exist used for Azure Advertizement Connect (which should be granted rights on the domain root past the installer) or another Azure purpose.
  • At that place is no reason for this account to be in Domain Admins.
• BES
  • This is for the Blackberry Enterprise Server service account which does not require Domain Admin rights (and may no longer be active on the network).
• CyberArk/Reconcile/SecretServer
  • CyberArk started as an enterprise password vault and has grown its offering into other security controls.
• Entrust/PKI
  • In that location are specific groups for PKI products to enable certificate actions. These should be used instead of Domain Admins.
• Commutation/EXAdmin/Mail
  • Substitution service accounts never demand Domain Admin rights.
• Fax
  • No. This does non require Domain Admin rights ever and should be removed immediately.
• Imanami
  • Imanami provides group membership management capability (among others) and some products. These service accounts should be custom delegated to the OUs containing the objects that crave modification.
• Landesk
  • Landesk is used for reckoner management and should not be in Domain Admins.
• Quest
  • There are several Quest products that may crave privileged rights on Domain Controllers. These rights need to exist reviewed and determined if advisable.
• PaloAlto
  • Typically this is used to lucifer domain users to computers to identify a person to network and net activeness.
  • There is a better way to configure systems that need to perform this mapping which unremarkably involves reading the Domain Controller security log: https://docs.paloaltonetworks.com/pan-os/vii-1/pan-os-admin/user-id/create-a-dedicated-service-account-for-the-user-id-agent
• Patch/Shavlik
  • Many patching systems tend to utilise Domain Admins since information technology provides administrative rights to every figurer. This is non the all-time way to exercise this.
  • Intermission out patching past system type and ensure that there is a different service business relationship for each ane:
    • Workstations
    • Servers
    • Domain Controllers
• ServiceNow
  • Required rights depend on the desired capability. Ensure that to the lowest degree privilege is followed and break out service accounts past computer type:
    • Workstations
      
    • Servers
      
    • Domain Controllers
• Qualys/Nessus/Rapid7Scan/Scanner/VulnScan/VulnScanner
  • Vulnerability scanning system service accounts are often placed in Domain Admins in order to have authoritative rights on every calculator in the domain.
  • Divide scanning into dissimilar scan "buckets"
    • Workstations with a VulnScan-wrk service business relationship
      
    • Servers with a VulnScan-srv service account
      
    • Domain Controllers with a VulnScan-DC service account.
      
• SCCM/Management/Mgmt/etc
  • Microsoft System Center Management is typically used to deploy applications, update arrangement settings, patch operating systems and applications, etc.
• SCOM/Wellness/Insight/MOM/Direction/Mgmt/etc
  
  • Microsoft Arrangement Eye Operations Management is a monitoring tool provided by Microsoft which monitors system and application health via event logs and "Management Packs".
  • There is frequently a standard service account which runs the arrangement and then a separate "action account" used on Domain Controllers which enables a tiered server operator the power to "click resolve" bug on a Domain Controller without being a member of Domain Admins.
• SQL
  • There is no reason for SQL to ever exist in a privileged AD group (like DA).
  • Nosotros take also found SQL Service Principal Names (SPNs) configured on the default domain Ambassador account which is fifty-fifty worse due to the risk of Kerberoasting.
• Unity
  • Cisco service accounts never need Domain Admins. Cisco updated the documentation for Cisco service accounts in late 2018, then bank check for the updated guidance.
• Varonis
  • Varonis is mostly used for tracking Windows system share permissions and admission. This service account may exist placed in Domain Admins in order to support a Varonis service on Domain Controllers. There may exist a way to run this service account every bit a member of Server Operators instead.
    
• VCenter/VMWare
  • There is no reason for VMWare service business relationship to exist a member of Domain Admins (or whatever other privileged Advert group)
• VPN
  • There is no proficient reason to take a VPN service account in Domain Admins. We have seen a VPN related service account in Domain Admins before merely to support users connecting via VPN who take expired passwords. With DA rights, the VPN solution can inform the user of an expired password, request a new password, and update the password for the user's AD account on behalf of the user in Ad.
  • The VPN service business relationship does not require Domain Admin rights to change passwords on behalf of the user. These rights can exist easily delegated on the OU containing users who will connect via VPN.

We have a Kerberos Service Master Proper noun (SPN) list here at ADSecurity.org which is regularly updated (a few times a year) which maps known SPNs to applications. This is a great mode to discover enterprise applications deployed on a network.

Conclusion
A vendor saying that their service business relationship needs to be in Domain Admins is not a requirement. Push back and ask for the specific rights that are required. Any service accounts that "require" Domain Controller rights should be severely express – no service account should get membership in Domain Admins just for DC install. Any organisation/amanuensis that can install/run code on a Domain Controller can elevate to Domain Admin, this includes all accounts that manage that system.

The following items tin can be custom delegated without too much result which is ameliorate than adding service accounts to Domain Admin.

• add computer to the domain (facilitated through a user rights assignment on a DC GPO)
• delegated user rights – facilitated through custom delegation on user objects in an OU
• service account on Domain Controllers – question why this is necessary. If it is, this could be facilitated with an agent or using a service account that is a member of Server Operators (or Administrators if required).
• local ambassador rights on all workstations – create a grouping chosen "Workstation Local Admins" (or similar) and add to the local Administrators group with Restricted Groups via a linked GPO to the OU that contains the workstations.
• local administrator rights on servers – create a group chosen "____ Server Local Admins" (or similar) and add together to the local Administrators group with Restricted Groups via a linked GPO to the OU that contains the servers.

(Visited 38,763 times, 38 visits today)

Sean Metcalf

I improve security for enterprises around the world working for TrimarcSecurity.com
Read the Well-nigh page (height left) for information about me. :)
https://adsecurity.org/?page_id=eight

How To Give Service Account 'local Admin' Rights On Domain Controller?,

Source: https://adsecurity.org/?p=4115

Posted by: porterfladdre1945.blogspot.com

Share this post