I'm sure you're all familiar with how Windows Domains work - but I do wonder this...

What measures do you reasonably take to prevent people from gaining domain administrator access?

On the one hand, it *seems* secure (Microsoft would say), that Domain Admin access is not "automatically" obtained by someone with local admin access. But in practice they would be able to achieve it:

- Installing a keylogger, and reporting a problem with the machine or their account - admin logs in - they immediately have the password
- Some programs that use distributed update services (like virus scanners especially) - sometimes require domain admin accounts - even more often, they're granted more privileges than they really need. Backup services too. A user with local admin rights can steal these services' credentials and launch processes with these rights.

So there are numerous moderately easy ways to obtain domain admin rights, if you get local admin rights. These can be mitigated by strict policy controls, for example:

- Keep all domain controllers and workstations used by admins for user management under lock & key
- Instruct sysadmins never to log on to other places using a domain admin account
- Never log on using a normal account in these secure boxes
- Give all sysadmin staff normal accounts with no extra access for day-to-day usage.

However, this is very inconvenient for the sysadmin who must physically move to different machine to do any user administration.

Also, one common approach is to keep the users and machines in different domains (or different parts of AD (not sure how AD works exactly)) so that in principle at least, gaining domain admin of the workstations domain won't give you access to the user base (although it's still very serious, as one could potentially install a keylogger in every workstation remotely)


Basically, what I'm saying is, how do you make it difficult for someone to get domain admin access?

- Prevent them from getting local admin rights (Difficult on standard Intel hardware) + Some users (i.e. developers) REQUIRE local admin rights in order to be able to do work.
- Prevent them from escalating local admin to higher privilege levels through use of secure separation facilities?
- Use something else? Third party products (Hardware / software) ?