Active Directory Domain Administrator Security

[Harry Flowers <flowers () MEMPHIS EDU>]

How are folks handling security of Domain Admin (DA) accounts?  We have
some servers that have shared administrative access (both locally and
contracted vendors), so we don't have total control over what may
compromise a system.  Even where we do, it's always possible that no
matter how careful we are, a system can be compromised by an exploit for
which no patches are available.  Once a system is compromised, it's a
short step to getting DA credentials if they are used on that system.
You can assume that patching, antivirus software, and system file
monitoring are already taking place; I'm looking for things in addition
to the basics.

If you're using two-factor authentication for DA accounts:
1) Do you only protect some systems (like your servers and DA desktops),
or do you deploy the clients on all desktops?
2) What type of two-factor authentication are you using (pseudo-random
number generator tokens, fingerprint scanners, etc.)?
3) Are you using two-factor authentication for non-administrator
accounts as well?

If you've abandoned DA accounts in favor of local admin accounts that
can't spread from a compromised system, I'd like to hear how you secure
your passwords (use a password safe like KeePass, in how many locations
is a copy kept, etc.).

If you are using some type of automated event log consolidation and
scanning, I'd like to hear what product you chose, and briefly why you
chose it.  (We're in the process of purchasing one.)

I'd also be interested in any other ways people are reducing their
exposure to the possibility of compromised DA accounts.  Please reply
directly to me, and I'll summarize for the list if there's interest.
-- 
Harry Flowers
Manager, Systems Software
Information Technology Division
The University of Memphis
(901) 678-3650