Educause Security Discussion mailing list archives
Re: AD and Domain Admin Policy?
From: "Dugan, Darin D [ITSYS]" <dddugan () IASTATE EDU>
Date: Fri, 19 Dec 2014 15:35:42 +0000
While we’re on the topic, and at the risk of thread hijacking, how many accounts do folks have for IT admins? I’d say at a minimum everyone should have two – unprivileged and some kind of server/app admin account. On top of that domain admins should have a third with domain admin privs. The gray area for me is in the (non-DC) server/app area. For those that wear many hats, do you have separate admin accounts for Exchange, SharePoint, Lync, vSphere, vendor app A, etc? Why or why not? Circling back to Russ’ question, one layer we make use of is logon restrictions so that privileged accounts can only log on to specific machines. A domain admin would be unable to log on to a workstation even if they tried. Yes, they have the ability to modify the logon restrictions, but we have auditing in place to detect that. Domain admin accounts are only used to manage AD itself. Everything else is delegated to less privileged accounts. Cheers. -- Darin Dugan, Systems Analyst Information Technology Services Iowa State University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy Sent: Friday, December 19, 2014 9:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] AD and Domain Admin Policy? Just a quick response to say that if your domain admins don’t have separate admin and regular usage accounts, make this your key task for today. Even non-domain admins that have other privileged access (Exchange admins, account admins, etc.) should have separate admin and regular usage accounts. They should log into their desktops/laptops with a regular account and RDP or “Run As” their admin accounts when needed. Brad Judy Director of Information Security University Information Systems University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu> [cu-logo_fl] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe Sent: Friday, December 19, 2014 8:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] AD and Domain Admin Policy? What happened to Sony, I feel is the ‘tip of the iceberg’. That said, do you have a “Domain Admin” policy at your school? Can domain admins only login as themselves to computers they have control over? Do your domain admins have a separate login when they need to check Kiosks, etc…. what about non-security issues like internal websites to look at today’s menu? Thanks! russ
Current thread:
- AD and Domain Admin Policy? Russ Leathe (Dec 19)
- Re: AD and Domain Admin Policy? Brad Judy (Dec 19)
- Re: AD and Domain Admin Policy? Dugan, Darin D [ITSYS] (Dec 19)
- Re: AD and Domain Admin Policy? Timothy Pierson (Dec 19)
- Re: AD and Domain Admin Policy? Timothy Pierson (Dec 19)
- Re: AD and Domain Admin Policy? Kevin McCormick (Dec 22)
- Cisco Advisory NTP Multiple Vulnerabilities Kevin McCormick (Dec 22)
- Re: AD and Domain Admin Policy? Timothy Pierson (Dec 19)
- Re: AD and Domain Admin Policy? Brad Judy (Dec 19)