Securing Windows Server 2003: Controlling The Administrator Account

In my last column, we investigated how we can lock down the Domain Admins Group on the domain; restricting network logon to only secure service administration workstations. As previously discussed this practice prevents the misuse of the Domain Admins privileges because membership of this group will not get the user (or abuser) access to the server. This practice reduces the attack surface against domain controllers and critical servers by a huge margin because it removes the utility of an interactive user interface or logon. It is difficult to attack what you cannot see, even if you do possess the correct password.

This practice also allows you to freely create service accounts that require Domain Admin rights and give them to engineers without the worry they will be used to access other services on the network. The account can thus be used for the service account requirements but it cannot be used to logon to a server, especially a domain controller.

Here's an example of such abuse: A network engineer requires an account with membership in Domain Admins for a service account used by a new firewall application running on a gateway or DMZ server. Soon after the firewall is installed you notice that the service account is being used to logon to other servers that have nothing to do with the firewall service. By preventing logon by Domain Admins you prevent this from happening.

Before we look at best practices for securing the Administrator account let's revisit our discussion with some tips and suggestions on group policy.

When you enable the "Deny logon locally" right in a GPO at the domain level the policy will affect all computers in the domain until the policy encounters another GPO either at the domain level below it or in some other OU below the domain level that at has a GPO linked to it.