Security Best Practice for Active Directory
Securing active directory is really important.
We still see help desk staff being added to Domain Admins group, Admins are elevating to their DA account to run powershell, RSAT etc on their device which they also use to download software, browse the internet and basically everything they do on day to day basis.
Domain Admins in the past was the easy way to managing almost everything. Exchange, Users, Systems running on member servers, Servers (I’ve even seen domain controllers), Service accounts have been added to Domain Admins group. The simple reason for this was “It just works and it’s easy” or the worst phrase “We have always done it this way”.
Compromised credentials on servers or computers used for day to day administrative tasks is a common way to get the keys to the kingdom and the high value assests every company tries to hard to protect.
If you have the time and want to provide proper AD security for your environment there is a Best Practice Guide to Secure Active Directory.