We are looking to see if there is any kind of security that can be placed on AD so that if a malicious user would get a hold of said AD, they could not add "Domain Admins" to an account without a secondary factor.  Either the request would go to another user where they would have to click on something to approve or deny it... or it goes to an MFA app.  We do use DUO MFA for OWA and soon VPN, but I do not see how it could stop an admin from running ADUC as their administrator user, creating a new user and adding an admin account.  Also if a hacker finds some kind of privilege escalation bug and wants to create a new domain account, this process should be emailed to CIO or other admins where they could click approve or deny.  Of course either ignoring the request or clicking deny would not allow "domain admin" privilege to be granted to the user.

I do not see any provisions in the current Microsoft user interface for this kind of thing, but with security these days I wasn't sure if anyone is aware of a third party product.

We are on a 2008 R2 level domain.

By their very nature, domain admins can circumvent most things like that. This problem has been seen in other products such as Advanced Group Policy Management. 

One thing that may help you (but only adds another layer to security) is to enforce domain admin membership with restricted groups. This means any users added to the domain admins group is removed unless they are specified in a GPO. Still easy to bypass but helpful.

Ok so you could in theory configure the restricted groups on the Domain Default Policy (or likely better yet create a new GPO and tie it to the root level of the organization) and so if a hacker creates an account by some vulnerability and tries to escalate that account to "Domain Admins"  because this new account name is not in the GPO, it will be removed immediately?

Its like a dual factor in a way, at least its something to slow down or confuse the outsider who is unaware of that configuration.  I just want to make sure I am understanding this correctly.

Nope, unfortunately you are not understanding correctly.

What happens with restricted groups policy is as follows...

1. An existing domain admin creates a new domain admin account. Or malicious software running as local system on domain controller can create a new domain admin account.
2. A new domain admin account does whatever (s)he intends to do.
3. When the refresh policy interval arrives (every 90 +/- 30 minutes by default) the new domain admin account will be removed from the restricted group (domain admins).
4. But it is not over yet. The "new domain admin" may still work as domain admin until Kerberos ticket expires.

You may use auditing and optionally some third party alerting system which will notify you when someone introduces new domain admin. You may then ask why that person did not ask for permission to do that and so on, and so on...

Ok I found our auditor was able to create a domain admin acct by leveraging a vulnerability in smb signing.  They were able to downgrade smb communication between machines since our GPO allows for signing but its not enforce.  They are going to demo to us how it was done.

Point is, creation of domain admins through malicious means (or demo for IT security / risk assessment) can be mitigated by other means.

While enforcing some sort of approval via MFA or a second set of eyes would stop new domain admins from being created, plugging holes like MiTM attacks and encryption downgrades is key here.  The vendor we have doing our internal vulnerability testing and risk assessment did create the account for demonstration purposes, but likely a real attacker would use (hijack) an existing domain admin credential to stay under the radar.  Creating a domain admin creates a lot of noise (logs, event management, SIEM alerts / emails, etc...).

You could run your domain controllers as Core boxes, without the gui os

Apply a server hardening policy to your domain, to lock down your domain controllers to make it difficult for users to logon to

Setup SCOM to monitor anything related to domain accounts being created

Hi KJSTech,

Please also updates MS15-011 & MS15-014 to harden Group Policy. The MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, by passing an existing security feature built into the product.

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

Best Regards,

Mary Dong