![]() Is the right way to accomplish this to limit what computers the admin accounts are allowed to sign into? That way I could ensure all admin accounts can only sign in on PCs where MFA is required.Īccounts in AD have access to read AD. In theory I could also install the MFA software on every workstations, but I don't have approval for that. I know I can limit which user accounts have access to AD including which OUs they can access and which functions they can perform. Is there a way to limit what systems can access AD DS management tools? Then they could manage Active Directory without needing to go through the MFA prompts on the servers. An attacker who steals admin credentials could install RSAT on a workstation that doesn't have the MFA requirement. I have MFA login enforced on all servers and IT workstations. Our cyber insurance wants us to require MFA to manage Active Directory. How do I limit access to Active Directory Users and Computers (and other AD components) to only be usable from certain servers and workstations?
0 Comments
Leave a Reply. |