The document presents an 8-step guide for administering Windows systems without requiring domain admin privileges, highlighting the risks of privileged account usage and best practices to mitigate those risks. Key steps include enforcing role separation, limiting privileged group memberships, and using tools like PowerShell and privileged access management solutions. The importance of managing administrative access and monitoring is emphasized to prevent privilege abuse and enhance security.

1. 8-Step Guide to Administering
Windows Without Domain
Admin Privileges
Presenter: IT Security Consultant Russell Smith
@smithrussell

2. @smithrussell

3. @smithrussell

4. Do you issue IT staff with
domain admin privileges?

5. Privileged access = Increased
RISK

6. Risks Associated with Privileged Account Use
▪ Malware, viruses, and ransomware
▪ Pass-the-Hash and Pass-the-Token attacks
▪ Brute-force attacks
▪ Unsanctioned configuration changes
▪ Ability to disable security defences
▪ Data leakage
▪ Privilege abuse

7. Privileged Accounts Not Required
▪ Everyday AD management tasks
▪ Connecting to remote devices using Remote Desktop
▪ Using PowerShell Remoting
▪ Managing end-user devices
▪ Managing servers

8. 1. Enforce Separation of
Administration

9. Separate Roles
DC
DNS
DHCP
Exchange
File Server

10. Separate Roles
DC
DNS DHCP Exchange File server

11. 2. Enforce Least Privilege by
Limiting Privileged Group
Membership

12. Enforce Least Privilege by Limiting Privileged Group Membership
Domain Admins
Enterprise
Admins
Schema Admins

13. Enforce Least Privilege by Limiting Privileged Group Membership
Domain Admins
Enterprise
Admins
Schema Admins

14. Enforce Least Privilege by Limiting Privileged Group Membership
Domain
Admins
Enterprise
Admins
Schema
Admins
Backup Operators Print Operators Group Policy Owner
Creators
Read-only Domain
Controllers
Server Operators
BUILTINAdministrators Cryptographic Operators
Account Operators Domain Controllers

15. 3. Fine-Grained User/Privileged
User Account Management

16. Privileged User Account Management
Domain
Admins
Enterprise
Admins
Schema
Admins
Custom OU

17. Privileged User Account Management
Domain
Admins
Enterprise
Admins
Schema
Admins
Custom OU

18. Delegation of Control Wizard (ADUC)

19. Delegation of Control Wizard (ADUC)
Remote Server Administration Tools (RSAT)
Standard user managing Active Directory

20. 4. Manage Administrative
Access to End-User Devices

21. Group Policy Preferences or Restricted Groups Policy

22. 5. Manage Privileged Access
to Servers

23. Local Administrator Password Solution (LAPS)
Active Directory

24. Manage Privileged Access to Servers
AD group
'Server 1'
AD group
'Server 2'
AD group
'Server 3'

25. Manage Privileged Access to Servers
AD group
'Server 1'
AD group
'Server 2'
AD group
'Server 3'
BUILTIN
Admini
strators
BUILTIN
Admini
strators
BUILTIN
Admini
strators

26. 6. Leverage PowerShell Just
Enough Administration

27. Leverage PowerShell Just Enough Administration
PowerShell Remoting
ServerManagement PC
Default Endpoint
Groups: Administrators,
Remote Management Users
Exposes all cmdlets, modules,
and functions

28. Leverage PowerShell Just Enough Administration
PowerShell Remoting
ServerManagement PC
Constrained Endpoint
Groups: Any
Limited cmdlets, modules,
and functions
Per-session JEA account (optional)

29. 7. Use Privileged Access
Management Across Domain
Controllers

30. Leverage PowerShell Just Enough Administration
▪ Privileged Access Management (PAM)
▪ Tiered AD administration
▪ Privileged Access Workstations (PAWs)

31. Privileged Access Management in Windows Server 2016

32. TIER 0
Privileged Access Workstations
PAW PAW PAW
DC
RSAT

33. 8. Enable WSUS and
Centralize Events

34. TIER 0
Windows Server Update Services (WSUS)
WSUS
DC

35. Windows Event Forwarding
Collector
DC TIER 0
TIER 1

36. PowerBroker for
Windows
Jason Silva
Product Manager

37. Who is BeyondTrust?
EXPERIENCED
Prevents privilege
abuse and stops
data breaches for
4,000+ customers
worldwideCOMPLETE
PAM SOLUTION
Integrated privilege
& vulnerability
management,
threat & behavioral
analytics
LEADER
Gartner,
Forrester,
KuppingerCole

38. BeyondTrust Stops the Cyber Attack Chain
• Reduce attack surfaces by eliminating
credential sharing, enforcing least privilege,
and prioritizing and patching system
vulnerabilities
• Monitor and audit sessions for unauthorized
access, changes to files and directories, and
compliance
• Analyze behavior to detect suspicious user,
account and asset activity

39. Endpoint Privilege
Management
Remove excessive user privileges
and control applications on endpoints
WINDOWS | MAC
Enterprise Password
Security
Provide accountability and control over
privileged credentials and sessions
APPS | DATABASES | DEVICES
SSH KEYS | CLOUD | VIRTUAL
Server Privilege
Management
Control, audit and simplify access for
DevOps and business-critical systems
UNIX | LINUX | WINDOWS
ASSET & ACCOUNT
DISCOVERY
THREAT & VULNERABILITY
INTELLIGENCE &
BEHAVIORAL ANALYTICS
REPORTING &
CONNECTORS
POLICY & ACTION
RESPONSE
THE POWERBROKER PRIVILEGED ACCESS MANAGEMENT PLATFORM
BeyondInsight

40. Comprehensive Windows Privilege Management
Dynamic
Access Policy
Comprehensive
Least Privilege
Privileged
Threat
Analytics
Remote
System &
Application
Control
Auditing &
Governance
File &
Policy
Integrity
Monitoring
Privilege
Management
Best Practices

41. Product Demonstration

42. Quick Poll + Q&A
Thank you for attending!