When creating a new user for one of our clients I was asked to copy an existing user what I had finished creating that user I went to see which Active Directory groups he belonged to and was shocked to find how many groups he was in.
In fact, as you can see in the screen shot to the right, you can view what domain groups a user belongs to in the Active Directory GUI just by:
But take a look at the scroll bar and you’ll see just how many groups this DBA belongs to… waaaay too many.
Common sense rules require the least privilege to be granted to a user and then and this person has everything including Enterprise Admin.
There were pages and pages of groups this person this person belonged to so I needed a command line something I could use in Powershell or CMD or Windows Terminal to list all of the groups this user was a member of. It turns out to be a very simple command:
net user /domain [user]
You can see in the screenshot above that this user had two full columns of group memberships in active directory. That puts him into 60 different groups. surely that is not necessary for a new database administrator.
At this point we were able to highlight this over credentialing to manager. The manager then stripped out about 80% of those groups which substantially reduces the attack surface and helps to keep this client safe.
This website uses cookies.
View Comments