Delegating permissions

In the previous section, we learned about how AD authentication works. As we saw, the Kerberos protocol itself was built to prevent identity compromise. This is all good on paper, but in reality, attackers use many methods and tools to attack AD environments. Therefore, it is important to know the features, techniques, and tools that we can use to protect AD environments further.

In an AD environment, there are different types of management tasks. Managing domain controllers, adding/managing/removing users, adding/managing/removing groups, resetting passwords, and adding devices to computers are just some examples. In a structured IT department, these management tasks can be bound to different job roles.

As an example, let's assume that Rebeladmin Corp.'s IT department has first-line (first support contact), second-line (intermediate), and third-line (senior) IT teams. When considering the AD management tasks, first-line engineers are usually involved with tasks such as user password resets, setting up new user accounts and groups, and adding devices to domains.

Second-line engineers are involved with additional tasks such as Group Policy setup and Group Policy troubleshooting. Third-line engineers usually work on tasks such as advanced troubleshooting, domain controller installations, schema changes, and physical and logical design changes.

In this way, we can group AD management tasks according to the responsibilities of different engineers' roles. This allows different job roles to take ownership of different AD management tasks. At the same time, if a certain job role is assigned the ownership of a task, there should be a mechanism to prevent other teams from interfering with that particular task. As an example, if third-line engineers are responsible for AD schema changes, then there should be a way to prevent first-line and second-line engineers from also doing them. If we need to prevent/allow users or groups from entering/to access a folder in a file server (respectively), we can do so using permissions. In the same way, AD also allows you to manage users' and groups' authority over objects or management tasks based on permissions. Managing permissions for the IT team is a difficult task, as it is not just about permission. It has a social aspect too. In general, we accept that administrators are trustworthy people; while most of them are, you can't always know. Therefore, it is best to take precautions and manage permissions sensibly. There are a few ways to manage permissions for AD management tasks: