A large majority of breaches happen because of compromised credentials (https://blog.centrify.com/cause-of-data-breaches/) and so it stands to reason that a compromise of privileged credentials would be the worst case scenario. If someone gets hold of Domain Admin credentials the game is essentially over.
Because of this when I’m talking to customers about improving their security posture one of the first things I recommend is reducing the number of accounts in AD privileged groups such as Domain Admin, Enterprise Admin and Schema Admins as documented in the Best Practices for Active Directory Security. What I often see is;
Lots of accounts in Domain Admins
IT administrators are often in Domain Admins. Sometimes, but not always, this account is separate from their day to day ‘normal’ account.
Service accounts in Domain Admins
I often ask why so many accounts are put in these groups and the answer is usually along the lines of;
‘I need those permissions’ or ‘stuff just works when an account is in that group’.
For me one of the simplest things you can do to help reduce the attack surface of AD is to simply remove accounts from these privileged groups. Ideally the only account in there would be the built in Administrator (RID 500) account.
AD Security resources;
I’ll do another post soon on Group Policy settings to help secure and audit your AD and Windows environment.