We often get the request – “Can one key person or lots of users have Domain Administrator rights to the network?”
This document looks to detail the reasons why this tends to generate a number of challenges for your organization.
First let’s give you an analogy… If a person (no matter how well intentioned) walks around all day, every day holding a lit candle, trying to be sure not to: drop it, burn their hand (with the hot wax), not burn anyone else and not set anything on fire, sooner or later…it’s going to end badly, the only question is: how badly?
The exact same issue occurs with giving any users domain administrator rights…it’s going to end badly.
Why network security is important:
We deal with the results of wrong clicks, typos, and slips for our clients every day. With normal rights, this can affect either just that user or the common areas (on the network) that the user shares with others. With domain administrator rights – the effects can be dramatically larger. Things like: affecting secure areas on the network, bringing the network down, removing the ability to access files (either locally or on the network), dramatically reducing network performance and locking out entire sections of the network from being backed up.
When a user with domain administrator rights is fooled into clicking on an email with some sort of infection mechanism, or just visits an infected website the risk jumps from their computer (and maybe files on the server) to a complete meltdown of all servers and workstations on the entire network often with Ransomware. Many of today’s malware include multiple attack vectors – so the more files and access they have (via domain administrator rights) once they get in the door, the more damage they can do.
Good Intentions / Bad Consequences
When a user uses their Domain Administrator permissions to grant/change file/folder rights or other modify the settings, like encryption or compression they often expose the organization to risks that are only uncovered when a second event (sometimes much later) occurs. These secondary events often involve either a failure or security issue – like needing to recover files (which now can’t be recovered), a user departure (on less than agreeable terms), or a security issue from outside (like Ransomware or bad actor).
The “Typhoid Mary” issue
When someone has domain administrator rights, their ability to auto-run apps during logon and insertion of things like USB sticks goes up. Often malware includes an auto-reinfection mechanism to reinstall itself after removal. If you add to that a roaming characteristic (where they touch multiple computers (or even servers)) – you end up with a “Typhoid Mary”, who spreads infection(s) throughout the enterprise.
When an employee is looking to leave an organization, domain administrator rights can generate a significant issue. The issue can occur for the user who actually has domain administrator rights or for a user/folder whose access has been previously “tuned” by the actual user with administrator rights. In both cases, it significant increases the level of damage. Here are the two ways we’ve seen this play out:
The departing user deletes important info (often that the organization’s management didn’t realize they had access to) as part of the departure.
The user copies the data (often that the organization’s management didn’t realize they had access to) and brings it with them – for their new job or other less than honorable intentions.
When issues are discovered based on changes made or damage done using the domain administrator rights, uncovering and resolving all the areas that were affected can be a very time consuming process. This is particularly true in the non-malicious cases, were someone was being helpful/expedient and made changes throughout the Infrastructure over time, and honestly can’t remember where the changes were made.