Password cracking.....that's so YESTERDAY!
Passwords are now an archaic form of authentication. ...and it's not so much that passwords are the failure, but the underlying protocols we continue to use.
MS doesn't effectively SALT their passwords. If they did, PASS-THE-HASH would not be as successful as it is.
....and yes, Caching credentials is part of the problem......lazy admins using 1 GOD-Like account to manage support from desktop-"domain admin", is another.....serious, passwords are ineffective.
Goooooooooo Tokens!!!! (YEAH!!!!!!).....Oops, sorry, there goes Kerberos, with PASS-THE-TOKEN software. Ok, just shorten Token lifetimes.....Users B complaining now.
Let's use Smartcard authentication - FANTASTIC, darn it....that only works for Interactive (remote and local) Logons. NTLM / Kerberos is still used for type 3, 4, 5 LOGONS (MS types should understand).
You're just left with one thing:
1. An Enterprise Admin Account (per person, assigned AS NEEDED)
2. A Domain Admin account (which is NOT USED FOR RDP'ing all over the place.
3. A Server Admin account - Just for Servers.....do not escalate it's privs. It fixes SERVERS.
4. A Workstation Admin Account - Same, do not elevate privs. It is a desktop admin and nothing else.
5. An Employee account. I know you want to use it everywhere, but NO!!!! Employee, Email, Benefits, and NOTHING ELSE.
6. For each type of system (desktop / Server / Domain Controller), each get a specific group that are admins, and it is not a Domain Admin....remote domain admins from all "Administators" group.....it is a domain admin, nothing else).
7. Populate a specifically named admin group, for its role, in each system type's Administrators group.
Really, not that hard.
Now, just how to make my company comply with these SIMPLE RULES!!!!
For you, KILL LMHASH (which means patch yer systems), Kill NTLM, Kill NTLMv2, use 2 factor for as much as possible, use REMOTE MANAGEMENT Tools.....meaning, STOP RDP'ing all over the place (RSAT and Putty w/ pubkey), set cached creds to ZERO for ALL SERVERS and DESKTOPS.....and use OTP for God's sake, use OTP. Get rid of 2003 and WinXP......and PATCH yer &@(#!!!!!!
I swear, admins are more problematic than users these days.