Category Archives: You don’t need DA

Delegate DHCP Admins in the domain

This is a simple guide delegating DHCP Admins in the domain.
This guide is built on a Windows Server 2012R2 environment.

If you have a lot of DHCP servers and want to delegate the administration in your domain it’s quite easy, and a good thing to do if you don’t want to grant people Domain Admin access unnecessarily. But, there is a few differences you need to know depending on How and Where you install the DHCP Server Role.

If we start with the most common way installing the DHCP Server Role service which is an easy task. Continue reading

Too much permissions on the domain root

This is an interesting question that I would like to share my view of here.

The question: What are the security implications of someone being able to modify permissions protecting the domain root object?

Let’s start with some basics:

  • All Objects in AD are securable
  • Securable Objects has a Security Descriptor (SD)
  • The SDs contains Owner SID, Group SID, DACL, SACL (known as ACLs) and the header with control flags
  • The ACLs contain ACEs
  • ACEs contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited

This topic focuses on the Write_DAC or Modify Permissions. If a Security Principal (User, Sec group, Computer) has the Write_DAC he is allowed to modify the Security Descriptor guarding the object.

So what are the implications of someone having the permission to modify the SD on the Domain Root? Continue reading

Just In Time Admin Access

When talking about security in Active Directory a big challenge is the delegation and how to protect the admin accounts and groups. Microsoft has release two whitepapers about this subject.

  • Best Practices for Delegating Active Directory Administration
  • Best Practices for Securing Active Directory

The delegation highlights the security model in Active Directory which is important to understand and have in mind to get the best out of it. It’s not an easy task to manage and has many dependencies of administrative users and systems to keep in mind when setting this up.

This goes hand in hand with securing your Active Directory environment since you have very high privileged accounts, and if the wrong persons gets on hold of it, it can do some great damage to the whole company. Continue reading

Why do you need Domain Admin?

I was thinking of starting a new category in my blog called “You don’t need Domain Admin”.

I will use this to gather info about delegation from Active Directory out to the client in different cases and needs.

I personally think delegation of roles and responsibility is an important part of securing the infrastructure. If everybody had access to everything or has the ability to gain access to everything on himself, well then the security is gone.

I will start with something that I see almost everywhere and it can never be justified when you start talking about it. One of the first thing I look at when I’m in a new AD environment is the high-privileged group memberships. There is always so many users and service account members I always fall of the chair, and when I get up and ask about it I always get the same answers. Continue reading