| | DECEMBER - JANUARY 9CIOReviewSECURING YOUR ON-PREM ACTIVE DIRECTORY ENVIRONMENT·For each local admin account, reduce the number of servers to which the account has access to·For each server, reduce the number of admin accounts with local admin accessTo accomplish this, my recommendation is to run a PowerShell script that will identify all of the users with local admin on every server in your domain. Use the output from the PowerShell script to identify the list of unique accounts with local admin permissions, and then count the number of servers on which each account has local admin permissions. Once you have this data collected, sort by the number of servers each account has local admin permissions to, then start with the accounts that have access to the largest number of servers and start working your way down.From here, there are multiple different ways you should look at this data-1.Scan for any accounts that belong to people who left the company or changed roles and no longer need access. Remove access immediately.2.Scan for any service accounts (accounts whose passwords do not change), especially those with local admin to a large number of servers. Does the account really need access to all of those servers? a.Reduce the scope wherever possibleb.Do not be afraid to push back on app owners - leverage your SIEM data to identify what servers these accounts are actually signing into, and reduce access to only those servers showing historical sign-ins3. Scan for regular user accounts that have local admin permissions on servers, and migrate these to dedicated administrator accounts. This way, if their user account gets compromised, it cannot be used to gain access to a server4. Review each admin account, looking at any account has access to significantly more servers than you would expect ­ again, leverage your SIEM data to identify what servers these accounts are actually signing into, and reduce access to only those servers showing historical sign-insBy following these steps, you may identify many accounts with excessive permissions that an attacker could exploit to attack your company. Reducing the number and scope of accounts with local admin access and working towards the concepts of least privileged access will help secure your company. Reducing the number and scope of accounts with local admin access and working towards the concepts of least privileged access will help secure your company
< Page 8 | Page 10 >