Re: Renaming Admin ID - Making Sys Admins Accountable
- From: "hockeytown_rox" <hockeytownrox@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Oct 2005 10:18:23 -0700
Paul,
Thanks. I think their point was that these apps dont necessarily need
domain admin credentials to run...but that they need to be launched somehow
from the server. Once they login and launch the application, they stated
they then need to be able to administer the server from the console as well
to do administrative tasks at the box as well. They couldnt just log off
that power user to do admin tasks because the apps have to always be running.
These are member servers on a 2003 domain.
"Paul Bergson" wrote:
> These legacy apps are a danger to your network security. Why would they
> possibly need Domain Admin credentials, I don;t believe they need that.
> Find out what particular permission set they really need and then log these
> machines on that way. They probably need access to resources on other
> machines and the EASIEST way has been to just give these apps Domain Admin
> privileges. What if someone wrote a script to create an account in one of
> these apps that created an admin account or elevated someone to admin
> status, etc... Get rid of these apps running as admin and do as you
> suggested.
>
> Also if you were to migrate these boxes to server 2003 you could mstsc
> /console and remotely run the console and still keep your two sessions up
> and running.
>
> --
>
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "hockeytown_rox" <hockeytownrox@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:80C69C6E-C159-41FB-A4E8-B357FD10B4EB@xxxxxxxxxxxxxxxx
> > We're about to embark upon renaming the Administrator ID and change the
> > password in a 2000 AD environment. We then were going to make any system
> > administrator create a separate service admin ID with their name that
> > gives
> > them domain admin permissions to do their work on AD and the 2000 servers.
> >
> > However, several of them have pushed back saying they have at least 3 or
> > four servers that there are critical applications that MUST be run from
> > the
> > server console. These applications are critical to the business and are
> > older legacy apps and do NOT run as services. They have to be launched
> > and
> > always be running. We recommend they launch these from a terminal session
> > but this domain is running in Administrative mode for terminal services
> > which
> > leaves only two licenses or connections per box so that takes up one of
> > the
> > connections.
> >
> > We suggested creating a backup operator or power user ID for logging into
> > the console and running these apps...but the Admins came back and argued
> > that
> > some tasks just HAVE to be performed at the console such as installing
> > McAfee
> > updates and other software, thus they could not log off the power use to
> > do
> > such tasks. The console must be logged in with admin permissions.
> >
> > Any advice out there on how to maintain auditing and accountability for
> > sys
> > admins by creating their own IDs, renaming the Administrator account but
> > then
> > also using an ID to log onto a console (not a session) for legacy apps
> > that
> > must be run this way???
>
>
>
.
- Follow-Ups:
- Re: Renaming Admin ID - Making Sys Admins Accountable
- From: Paul Bergson
- Re: Renaming Admin ID - Making Sys Admins Accountable
- References:
- Re: Renaming Admin ID - Making Sys Admins Accountable
- From: Paul Bergson
- Re: Renaming Admin ID - Making Sys Admins Accountable
- Prev by Date: Verify computer account in AD belongs to local computer?
- Next by Date: Re: Delegation of AD control and modification of surname
- Previous by thread: Re: Renaming Admin ID - Making Sys Admins Accountable
- Next by thread: Re: Renaming Admin ID - Making Sys Admins Accountable
- Index(es):
Relevant Pages
|
