Re: 2000 Domain Admin Best Practices

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"" wrote:
> I'm a little rusty with AD security...but was wondering if
> there are
> resources out there or can anyone break down what the best
> practices are
> regarding overall Domain security in terms of Administrators.
>
>
> 1. How many built in administrator accounts are there? Is
> there just one
> overall domain "Administrator" account who is part of the
> Domain
> Administrator group for an AD Forest? Should you rename the
> ID and then
> change the Administrator password and keep this in an
> encrypted DB or in an
> envelope just in case the Admins leave the company?
>
> 2. Should you rename all Administrator accounts, enable
> logging on the
> domain in case that password is changed and then make all the
> Sys Admin's use
> their own IDs as part of the Domain Admin group?
>
> 3. Are there many services on domain controllers that use
> "Administrator"
> for system access? Would you have to change that password as
> well or does it
> propagate automatically?
>
> Whats the best way to limit the abuse of a domain admin, make
> them
> accountable, log their actions but still allow them to do
> their day to day
> duties such as add/remove users, change persmissions, reset
> passwords, etc?
> I'm looking for overall best practices to eliminate the use of
> that shared
> Administrator ID (Or any domain Admin ID for that matter).
> We're looking to
> prevent abuse of power but not interfere with job duties. We
> want to rename
> this ID but then also at the same time we need to know the
> effects within the
> enterprise on doing so. How many different types of
> depedencies are there on
> this built in ID?
>
> Any help, assistance, comments or references to some good best
> practice
> security articles on AD would be great. Thanks!

Additional Tips:

A tip for delegation (per organization this may depend, but this
should give you a hint how to do it):
* create separate admin accounts to perform admin tasks
* Define the admin roles in your organization
* Define all the admin tasks performed by those roles in your
organization
* Create an OU for the Admin roles and the admin tasks
* Do not delegate the management of the roles and the tasks to groups
or persons other than the domain admins
* Create an OU for the Admin accounts
* Do not delegate the management of the admin accounts to groups or
persons other than the domain admins
* Create separate OUan OU for the Admin roles
* Setup admin roles represented by a security groups in AD
* Setup all kinds of tasks represented by a security groups in AD
* Give the task groups the appropriate permissions in AD and on
servers through the delegation of control wizard and through GPOs
(restricted groups feature)
* Make the role groups a member of the apropriate tasks
* Make the admin accounts a member of the appropriate roles (most of
the time 1 admin account only has one role assigned)
* Protect the admin accounts OU, the admin roles and tasks OU

For delegating tasks see the following white papers. They are very
good!
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

* Always use service accounts for services when needed. Otherwise use
the default system account
* Configure and enable auditing on the default strong groups and on
the roles and tasks groups to see what changes are made to those
groups

There are also a lot of ebooks available on the net that describe
security issues (Quest, Scriptlogoc, NetIQ)

Good luck

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/2000-Domain-Admin-Practices-ftopict433932.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1459244
.

Relevant Pages

  • Re: Help setting up HIGH END user rights (higher than ADMIN)
    ... there to fix things when all your delegated admins and other security ... MUST trust them. ... > everyone needs to log into it as Administrator so they can run a job. ... > nothing is stopping the Admin to edit their profile and give themselves HR ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How can admin not have access to certain shares?
    ... is hiring a system administrator but wants to have some data that is ... but the admin can change the auditing. ... security events, as this has no place in securing our data. ... security and compliance perspective then doing nothing at all. ...
    (microsoft.public.windows.server.security)
  • Re: The local policy of this system does not permit you to logon i
    ... I have checked the security policies & the administrator profile is not ... The problem has to lie somewhere in your Local Security policy, ... login to the SBS via RDP & I could use the admin UID & PWD!! ...
    (microsoft.public.windows.server.sbs)
  • Re: The local policy of this system does not permit you to logon i
    ... The administrator is a member of the following:- ... Check in the security policys, and all GPO's as to whether the ... The problem has to lie somewhere in your Local Security policy, ... login to the SBS via RDP & I could use the admin UID & PWD!! ...
    (microsoft.public.windows.server.sbs)
  • Re: IP Packet Filter
    ... with User Account Controls in Windows Vista, ... including members of the Administrator group. ... admin permissions all the time. ... prevent the malware from subverting security policies entirely then you ...
    (microsoft.public.win32.programmer.networks)