Network security basic protection rules:
- Don’t grant your users local administrator rights. This is cumbersome, but
it ensures that the local hash database resists compromise, keeping other
users’ hashes away from prying eyes.
- Use domain administrator credentials only on machines with domain
controller roles installed. Use delegated administrator accounts with fewer
rights to perform privileged actions on other machines like client computers
and member servers.
- Don’t grant junior administrators local administrator rights on servers.
Avoid granting anyone local administrator access on servers.
- Consider setting up a whitelist of known-good applications. For some
organizations, this is a trivial task, but it will prevent the operation of
the utilities used in attacks and any other utilities that may come out
to make this attack easier to execute.
- Never use the domain administrator account to grant privileges to service