Re: securing critical member servers

Once a user is in the administrators group they can do anything they choose
including readding themselves into groups and removing any restrictive
permissions. If you have admins you don't trust then they shouldn't be
admins in the first place.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

<zerbie45@xxxxxxxxx> wrote in message
news:3197edec-49f6-4b86-9441-5f2e9ad4da25@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
hello,

we have a windows 2003 active directory and have a couple of servers
used for a very critical application (banking industry).

these servers are placed in a dedicated organizational unit and do
receive standard group policy we apply to all member servers.

however, given the particular sensitivity of the application data held
in these servers we would like to logically/Active Directory "isolate"
it from the rest of the domain, where possible.
this does not involve ipsec (servers are in a separate firewalled dmz
and traffic is already ciphered), but we would like to use gpos to
remove regular domain admins from the possibility of administering the
servers and replacing them with a dedicated domain group.
What I need to do basically I think is to use OU delegation and remove
standard domain admins and explicitely add the group we want to use
for server administration.

Anybody can give any recommendations ? I've seen many hardening
guides, they do lock down many features but they don't bother much
with removing normal domain admins rights.

thanks!
zz


.

Relevant Pages

  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.group_policy)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.security)
  • Restrict Desktop Administrators Issue
    ... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
    (microsoft.public.win2000.active_directory)
  • RDP for domain admins only!
    ... so I'm trying to limit RDP access to Domain Admins only (into ... We have a lot of servers where many people are administrators, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin accounts for Run As purposes only
    ... Administrators group of each server that needs to be managed. ... is this just as strong as a Domain Admin or is it more limited / ... > don't have enough servers to achieve a separation. ... >> I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)