Re: Best Practice for Domain & Local Admins

From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
Date: Sun, 05 Mar 2006 21:50:33 -0800

I do have a separate local admin account on my workstations than the domain admin account.

I also adjusted off lanman hashes.

But remember .. your 6 a.m. email will warn you about bad password attempts.

Make that admin account a passphrase.

I personally have found there is more risk from workstations running with local admin rights and folks being able to download malware.

I've seen folks bang on the Admin account on port 25.

Look to your real risks.

Alex from Miami wrote:

I was just wondering what others thought of this.

Considering that there are password-breaking utilities out there, would it be a best practice to have two separate admin accounts for our SBS deployments? One would be the system admin account which would be used solely on the physically secured server, and the other would be a local admin account that is just a regular domain user, but is set as an administrator on all local machines.

Here is my rationale:
Since many of the password-hacking systems out there require that the id be stored in a hash file locally, if the domain admin account is not used on the client machine, it's not able to be hashed. Any administrative tasks that need to be accomplished on local machines would use the local admin account. The only place that the domain ID would be used would be on the servers.

Furthermore, could a Group Policy could be created that prevents the domain admin from logging onto client workstations? Would we even WANT to create a policy like this?

-Alex from Miami

Follow-Ups:
- Re: Best Practice for Domain & Local Admins
  - From: Alex from Miami

References:
- Best Practice for Domain & Local Admins
  - From: Alex from Miami

Prev by Date: Re: RPC not working correctly
Next by Date: RE: Client Computers cannot upload or download from Remote FTP servers
Previous by thread: Best Practice for Domain & Local Admins
Next by thread: Re: Best Practice for Domain & Local Admins
Index(es):
- Date
- Thread

Relevant Pages

Re: same domain names co-exist in WAN
... > This next script renames the account as well as resets the password. ... > 'Rename Local Admin Account ...
(microsoft.public.windows.server.active_directory)
Secuirty - workstation locks itself
... I have a XP machine SP2 in a Domain. ... No one uses the local admin account. ... Also when I try to unlock it using the local and domain admin accounts it ...
(microsoft.public.windowsxp.security_admin)
Best Practice for Domain & Local Admins
... Considering that there are password-breaking utilities out there, would it be a best practice to have two separate admin accounts for our SBS deployments? ... One would be the system admin account which would be used solely on the physically secured server, and the other would be a local admin account that is just a regular domain user, but is set as an administrator on all local machines. ... Since many of the password-hacking systems out there require that the id be stored in a hash file locally, if the domain admin account is not used on the client machine, it's not able to be hashed. ...
(microsoft.public.windows.server.sbs)
Re: Grant Object Access
... application that doesn't use a local admin account but can still use my COM ... > Denied message from COM when trying to add a task to the Scheduled Tasks. ... > worked again without having to give admin rights to IUSR_. ... I'd like to not use an admin account for the COM+ ...
(microsoft.public.windows.server.security)
Re: VB.Net WMI Windows Server 2003
... The domain admin account should be able to perform this action. ... NotFound management exception indicates that the management object you are ... Please do not send e-mail directly to this alias. ...
(microsoft.public.dotnet.languages.vb)