Re: Admin accounts for Run As purposes only
From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 12/19/04
- Next message: Doug Frisk: "Re: UPN Limit"
- Previous message: Celery: "Re: Admin accounts for Run As purposes only"
- In reply to: Celery: "Re: Admin accounts for Run As purposes only"
- Next in thread: Celery: "Re: Admin accounts for Run As purposes only"
- Reply: Celery: "Re: Admin accounts for Run As purposes only"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 19 Dec 2004 17:15:55 -0000
Making someone an administrator of a server is quite different to making
them a domain admin and is the appropriate course of action in many
circumstances.
Basically, by taking someone out of the domain admins group and making them
administrators of all the machines they need to manage, you still achieve a
great deal of functionality and you also prevent an attacker from scripting
the addition of new high-privilege accounts to run when a domain admin logs
in.
You have to strike a balance. It gets difficult to achieve this sort of
thing when you're using domain controllers as file servers and when you
don't have enough servers to achieve a separation.
At the end of the day, you have to trust your administrators, but it's easy
to slip into thinking that everything that is done under an administrator's
account was done by the person sat at the console and not by some script or
executable that just happens to be running in the background.
Regards
Oli
"Celery" <Celery@discussions.microsoft.com> wrote in message
news:8E1F3D14-3B0F-4495-BE10-FE871A366EBD@microsoft.com...
> Thanks to all...
>
> I agree with the ideal world, but domain admins in the organisation is a
> legacy problem inherited from NT4 days and now that we're finally
> implementing AD, I'm trying to prevent the same anarchy that it was.
>
> I know we can delegate alot of tasks now such as user account
> administration, printer administration under AD delegation etc, but when
> someone needed to be able to check groups linked to NTFS permissions on
> folders across lots of servers, convenience took priority as well as
> IT-illiterate management peer pressure.
>
> Staff with domain admins got lazy and used their DA account everywhere on
> a
> daily basis and it became habit to use that account rather than log off /
> on
> as their other DA account...
>
> I wanted to find a way of making users use their standard accounts at all
> times and stop them using their DA account unless used for Run As
> purposes,
> similarly like the "Deny log on locally privilege". Its a mad place here,
> I
> know!
>
> Incidentally, without DA privileges, what is the best practice for setting
> up IT admin users the ability to see what security group is linked to a
> folder, or being able to create a new folder resource and link new groups
> to
> it? Make them a local administrator on each file server or CACLS append a
> new security group over all data folders that contains IT admin staff with
> full control? Also, if the same people need to troubleshoot servers,
> services etc, make them Server Operators too?
>
> Kind Regards
>
>
> "Oli Restorick [MVP]" wrote:
>
>> Hi
>>
>> If you've already messed around with the "Deny Log on Locally" privilege,
>> you will have found that it applies to the runas command as well as
>> interactive logons.
>>
>> I don't think a domain admin user should be logging in on any
>> workstation,
>> using runas or not. Domain controllers, yes. Workstations whose state
>> you
>> don't know, no.
>>
>> Not sure of a good solution for what you're trying to do. My feeling is
>> that it's best to delegate the control you need. When they're
>> fault-finding
>> on a user's workstations, do your administrators need to be creating new
>> domain admins, changing group policy, or modifying the payroll system?
>> If
>> not, they have no business using a domain admin password. In an ideal
>> world, they shouldn't even have a domain admin account.
>>
>> Oli
>>
>>
>>
>> "Celery" <Celery@discussions.microsoft.com> wrote in message
>> news:FA2E2633-7BB1-408A-84C2-FC3F22802FBF@microsoft.com...
>> > Per best practices, I want to ensure that Domain Admins staff do not
>> > log
>> > in
>> > with their domain admin account, but with a standard account, and then
>> > use
>> > their domain admin account for Run As only.
>> > I know in this day and age, we should be able to trust DAs, but is
>> > there a
>> > way of achieving the following scenario:
>> >
>> > A domain admin person will have two accounts, a standard account eg
>> > Fred,
>> > and a domain admin account called FredDA. I want to allow them to log
>> > on
>> > to
>> > clients and servers using Fred and then use Run As and then enter their
>> > Domain Admin credentials to carry out the necessary task. I therefore
>> > want
>> > the FredDA account to not be able to log on to a client or server but
>> > only
>> > allow it for Run As only.
>> >
>> > I know this sounds drastic, but too many corners are being cut and
>> > sooner
>> > or
>> > later something serious will happen! It also safeguards against risks
>> > of
>> > viruses and trojans with DA privileges...
>> > Thanks for any responses!
>>
>>
>>
- Next message: Doug Frisk: "Re: UPN Limit"
- Previous message: Celery: "Re: Admin accounts for Run As purposes only"
- In reply to: Celery: "Re: Admin accounts for Run As purposes only"
- Next in thread: Celery: "Re: Admin accounts for Run As purposes only"
- Reply: Celery: "Re: Admin accounts for Run As purposes only"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
