Introduction
In today’s complex IT environments, the question of who has domain admin-level access is far more complicated than it seems. Many companies are implementing Defender for Endpoint, Azure Arc for Servers, and using various cloud management solutions alongside Configuration Manager. Let’s dive into these three tools and uncover their hidden impact on domain admin access.
The Hidden Admins in Configuration Manager
Imagine you have two official Domain Admins: John and Mary. Seems straightforward, right? Now, let’s add Configuration Manager to the mix, managed by a separate team of three operators: Marc, Tim, and Kim.
Here’s where it gets interesting: Configuration Manager runs under the local system account. This means these operators can:
- Execute scripts on domain controllers
- Install packages that could modify system configurations
- Set baselines that could alter security settings
While Marc, Tim, and Kim aren’t in the Domain Admins group, they have the power to make changes that are just as impactful. They’re not official Domain Admins, but in practice, they might as well be.
Surprise! You now have 5 de facto Domain Admins.
Defender for Endpoint Expands the Circle
Next, let’s consider your Infosec team managing Defender for Endpoint: Ryan, Kate, Jason, and Peter.
In many organizations, Defender for Endpoint is set up with a flat structure, giving these team members access to every endpoint – including Domain Controllers. They can:
- Run Live Response sessions on any machine
- Execute PowerShell scripts with system-level privileges
- Access and potentially exfiltrate sensitive data
While their intentions are to protect your environment, they have the capability to make sweeping changes across your entire domain.
Count check: We’re up to 9 shadow Domain Admins.
Azure Arc for Servers: The Final Stretch
Azure Arc for Servers is a multi-cloud management solution for managing on-premises servers from the cloud. By default, it runs in full mode, which means all supported extensions can be enabled. This includes:
- Run command feature
- Custom script extensions
- Automated task execution
Add two more to the server team, Justin and Jay, who manage Azure Arc. They now have the ability to execute commands and scripts on your on-premises servers, including domain controllers, directly from Azure. It’s important to understand the config mode property in Azure Connected Machine Agent to manage these permissions effectively
Final tally: 11 people with Domain Admin-level access.
The Real Threat Landscape
Here’s the truth bomb: You don’t need official DA permissions to cause significant damage. There are countless attack paths we know about, and many more we don’t. Some examples include:
- Lateral movement through less-secured systems
- Exploitation of misconfigurations in management tools
- Social engineering attacks targeting high-privilege users
When designing your infrastructure, especially in hybrid-cloud environments, you must:
- Classify your assets based on sensitivity and importance
- Configure different access tiers to limit exposure
- Avoid flat structures that give unnecessary access
- Implement the principle of least privilege across all systems
Summary
This isn’t just about numbers – it’s about understanding the true scope of your administrative access. Ignoring this is like thinking you’ve only given house keys to your spouse, while accidentally leaving copies under every doormat in the neighborhood.
Design your Arc, Defender, and every management system with careful consideration. Don’t dismiss concerns about Tier-0 systems in Arc – instead, focus on the bigger picture of access management across all your tools.
Remember: Attack Path Management is a full-time job. It’s time we treated it as such.
Action Steps
- Audit your on-premises and cloud management tools and identify all potential admin access points
- Implement strict access controls and monitoring for high-privilege actions
- Regularly review and adjust access permissions across all systems
- Train your teams on the importance of access management and potential risks
- Consider implementing a Privileged Identity Management (PIM) solution
- Develop and enforce policies for just-in-time and just-enough access
- Conduct regular penetration tests to identify potential attack paths
- Make it password-less and use Conditional Access policies
- Split your resources into different Tiers and learn how to protect your Tier-0 assets
Don’t wait for a breach to realize you’ve been running with your digital front door wide open. Take control of your domain admin access today. Your future self (and your security team) will thank you.
The importance of regular cybersecurity audits cannot be overstated in maintaining this level of security awareness and control.
