We always have the Paladin Sentinel Monitoring console up during the day. I am still seeing mass use of the domain administrator account to RDP into servers and lots of daily RDP connections in general.
There are legitimate reasons to RDP into servers.
There are legitimate reasons to use a domain administrator ID.
However, the rate at which that ID continues to be the "go-to" ID for everything and the number of "quick RDPs" into servers is disheartening.
In the CyberSecurity world, RDP doesn't mean "Remote Desktop Protocol". Security professionals have renamed it "Ransomware Deployment Protocol".
RDP deserves that name as it is the "go-to" tool for those that want to do you harm. We have almost all RDP turned off in our environment. We have RDP and true server console access MFA protected by Cisco Duo.
You should too.
Your goal for the rest of 2022 is to see who can stay off the servers the most. Use the Remote Server Administration Tools (RSAT) for as much as possible from a remote workstation or tech management station. Delegate lower-level IDs to do most of those basic network management functions such as password resets, account unlocks, DHCP and DNS changes, etc. Turn off RDP wherever you can in your network. Enforce MFA regardless of how you access any server.
Besides the rights issues and potential exposures, you have a logging problem. Who is the administrator in the log? Chances are is it one of a number of people.
It is hard to know who did what if everyone could be an administrator.
Lack of clarity makes auditors have unhappy faces.
Your cyber insurance carrier has now those same unhappy faces.
If they don't have it yet, your Superintendent, Business Official, and School Board are about to have those same unhappy faces as your insurance comes up for renewal.
I admit habits are hard to break.
Two or three years ago I heard at Ford there were three people who knew the true domain administrator ID worldwide and they were debating whether they needed a fourth.
If Ford can run worldwide with three people knowing the ID, then we certainly can do better at limiting domain admin access.
If I can live without RDP and have MFA turned on for anything important so can you.
If you want to discuss tightening administrator access in your district, please give us a call.