Re: Best Practice for Domain & Local Admins
- From: Alex from Miami <FirstName@xxxxxxxxxxx>
- Date: Mon, 06 Mar 2006 08:36:53 -0500
Hey Susan.
Thanks for the response. Why am I not surprised that the Queen of Security would be the first to respond? :-)
I have a couple of follow up questions:
1) Does "adjusted off lanman hashes" mean that the hash file that gets created for cached logins is NOT created? Can you elaborate a bit?
2) For the 6am report, are you referring to the Security one within Event Viewer that can be included in mailed reports?
3)I'm guessing the answer is yes, but should the pass phrase philosophy be set for BOTH domain AND local admin accounts?
4) I am with you 100% with the whole local admin accounts for the users. In your SBS deployments, do you NOT make the user local admins, and how do you circumvent SBS as far as performing the client-app installs and such?
5) Finally, have you seen Microsoft's Shared Access tool? (www.microsoft.com/sharedaccess) It is pretty darn awesome and can be used in a domain as well.
Thanks again for all the help you give the SMB community!
Alex from Miami
P.S. Just got my MSBS recently....WOO HOO!!!
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
I do have a separate local admin account on my workstations than the domain admin account..
I also adjusted off lanman hashes.
But remember .. your 6 a.m. email will warn you about bad password attempts.
Make that admin account a passphrase.
I personally have found there is more risk from workstations running with local admin rights and folks being able to download malware.
I've seen folks bang on the Admin account on port 25.
Look to your real risks.
Alex from Miami wrote:
I was just wondering what others thought of this.
Considering that there are password-breaking utilities out there, would it be a best practice to have two separate admin accounts for our SBS deployments? One would be the system admin account which would be used solely on the physically secured server, and the other would be a local admin account that is just a regular domain user, but is set as an administrator on all local machines.
Here is my rationale:
Since many of the password-hacking systems out there require that the id be stored in a hash file locally, if the domain admin account is not used on the client machine, it's not able to be hashed. Any administrative tasks that need to be accomplished on local machines would use the local admin account. The only place that the domain ID would be used would be on the servers.
Furthermore, could a Group Policy could be created that prevents the domain admin from logging onto client workstations? Would we even WANT to create a policy like this?
-Alex from Miami
- References:
- Best Practice for Domain & Local Admins
- From: Alex from Miami
- Re: Best Practice for Domain & Local Admins
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Best Practice for Domain & Local Admins
- Prev by Date: Re: How do you all manage employee workstations? Looking for sugge
- Next by Date: Re: SBS2003 Group Policy How do you Apply it to a user?
- Previous by thread: Re: Best Practice for Domain & Local Admins
- Next by thread: RE: POP3 Connector and "Message Submitted to Categorizer"
- Index(es):
Relevant Pages
|
Loading
