I’ve been researching the best method of securely granting local administrative permissions but I’m really struggling to reconcile the security, operational, and cost implications.
I’ve devised a few options:
- Create a domain security group (
Local Administrators
), add the required domain user accounts, and use Group Policy to add the domain security group to the local security group Administrators
:
- Pros:
- Centrally-managed.
- Auditable.
- Free.
- Cons:
- Vulnerable to credential theft and lateral movement attacks.
- Option #1 but using separate domain user accounts (`firstname.lastname.admin”):
- Pros: Same as #1
- Cons: Same as #1. Apparently, even authenticating a UAC prompt creates a logon cache which can be exploited.
- Option #1 but disabling cached logons:
- Pros:
- Centrally-managed.
- Auditable.
- Free.
- Not as vulnerable to credential theft and lateral movement attacks.
- Cons:
- Users will be unable to logon if there’s a problem with the domain or their PC is offsite.
- Deploy Microsoft LAPS and issue users with the unique, local administrator credentials:
- Pros:
- Centrally-managed.
- Not vulnerable to credential theft and lateral movement attacks.
- Free.
- Cons:
- Add the required domain user accounts to the local security group
Administrators
:
- Pros:
- Auditable (to an extent).
- Not as vulnerable to credential theft and lateral movement attacks.
- Free.
- Cons:
- Implement MFA:
- Pros:
- Centrally-managed.
- Auditable.
- Cons:
- Implement a system that uses TOTPs and/or only temporarily grants administrative permissions as-and-when needed:
- Pros:
- Centrally-managed.
- Auditable.
- Not vulnerable to credential theft and lateral movement attacks?
- Cons:
What is best practice / advised?
Continue reading Securely granting local administrative permissions→