Windows Active Directory Least Privilege - Am I being paranoid ?

I'm working on a solution to secure workstation admins accounts. Here's what I've come up with so far:

We'll have three types of accounts:

* A standard 'everyday' user account.
* A privileged domain account with access to consoles such as SCCM and Intune.
* A non-privileged domain account that will serve as a local admin on user machines.




Both the privileged and non-privileged domain accounts will be placed in the 'Protected Users' group to safeguard against credential theft.

For the privileged domain account, I intend to implement the following policies on user PCs:

* Deny access to this computer from the network.
* Deny logon as a batch job.
* Deny logon as a service.
* Deny logon through Remote Desktop Services.
* Deny local logon.




This will restrict its usage to designated admin workstations. Additionally, I plan to disable SeDebugPrivilege for all accounts with local admin rights to mitigate tools like Mimikatz.

However, I'm facing a challenge with the non-privileged domain account that has local admin rights on user machines. This means that if compromised (ex. some admin installing sh*t under this account on computers), this account could potentially access a wide range of user machines.

My initial idea is to limit this account to log in remotely only from secured workstations, thereby preventing remote authentication from user PCs to other user PCs. But I haven't found a way to implement this yet. Essentially, I need the account to be able to log on locally to the workstations but disallow it from logging in from these workstations elsewhere.

How would you suggest mitigating this issue? submitted by /u/Equal-Swordfish3662
[link] [comments]


http://dlvr.it/T6zWRz