ddh76
asked on
Securing the Domain Administrator account
We currently have several services running under the DOMAIN\Administrator account and I want to change this. We also have 2 administrators who both log in using the above account to manage AD, Exchange etc, etc.
I want to stop them from logging on to the Servers as much as I can so that they simply use the ESM locally and use "run as" for example.
If I create 2 Domain Admin accounts for the 2 of them, won't they then be able to change the Domain Admin password? Is there anyway of giving them Domain Admin permissions without them being able to reset the "DOMAIN\Administrator" account?
I want to stop them from logging on to the Servers as much as I can so that they simply use the ESM locally and use "run as" for example.
If I create 2 Domain Admin accounts for the 2 of them, won't they then be able to change the Domain Admin password? Is there anyway of giving them Domain Admin permissions without them being able to reset the "DOMAIN\Administrator" account?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have noticed though that a lot of applications require "Domain Admin" rights on the service account. Do I really have to spend a very long time trying to work out which rights the account needs to run the application? For example, what about the services for Backup Exec that need to backup Exchange, Sharepoint etc.
What do I do about those? what about admin tasks like installing apps on local machine OR configuring MSDE on local machines?
What do I do about those? what about admin tasks like installing apps on local machine OR configuring MSDE on local machines?
That totally depends on how secure you want your environment to be. You can restrict these users to logon to systems with the 'restrict logon to these machines' in Active Directory. That way the accounts cannot be used to logon.
I myself create for each service/application a (domain) user with the least amount of rights it needs and restrict it to logging on to a specific machine.
For the local configuration on machines you don't need domain admin rights. You need local admin rights. What you could do is create a domain group for example "Local Admins". On each workstation you add this group to the Administrators group. Each user who needs to be local admin you can add to this group.
I myself create for each service/application a (domain) user with the least amount of rights it needs and restrict it to logging on to a specific machine.
For the local configuration on machines you don't need domain admin rights. You need local admin rights. What you could do is create a domain group for example "Local Admins". On each workstation you add this group to the Administrators group. Each user who needs to be local admin you can add to this group.
ASKER
We are quite a technical company and have lots of users who need to install items at relatively short notice etc. i.e. not easy for me to plan the implementation of apps etc. I want it to be secure but do I go as far as making our "users" ONLY users and give them a secondary logon when they need to?
That's a question only you can answer.
For some companies it is enough to have rules/guidelines for the use of systems, eg. 'it's not allowed to install illegal software on your computer. On finding illegal software there's such and such penalty'.
I have been involved in securing systems for a while now and in my opinion it is more a management thing than a technical one. Improve your security on systems and a bigger hacker will arrive.
On the problem of short notice apps installation.. Somebody knows what application will be bought/installed in your company... It's logical that one of the first persons they notify is an IT person.
If they call you that they want to install an application on their system you can put them in the Local Admins group as I described earlier. They need to logoff and on again. After they are done you can revoke their rights.
For some companies it is enough to have rules/guidelines for the use of systems, eg. 'it's not allowed to install illegal software on your computer. On finding illegal software there's such and such penalty'.
I have been involved in securing systems for a while now and in my opinion it is more a management thing than a technical one. Improve your security on systems and a bigger hacker will arrive.
On the problem of short notice apps installation.. Somebody knows what application will be bought/installed in your company... It's logical that one of the first persons they notify is an IT person.
If they call you that they want to install an application on their system you can put them in the Local Admins group as I described earlier. They need to logoff and on again. After they are done you can revoke their rights.
ASKER
On your last paragraph specifically, can I not just give them the right "install with elevated privileges" or something like that rather than having to give them local admin perms each time?
Yes you can. The question is: do you want that. That way you have a little control in what gets installed.
ASKER
Ok, so I could do that and combine it with a list of "allowed applications to run"....?
I will leave the following recommendation for this question in the Cleanup topic area:
Split: Shankadude {http:#18145771} & xph1le {http:#18146411} & xuserx2000 {http:#18147942} & whoajack {http:#18155174}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
Split: Shankadude {http:#18145771} & xph1le {http:#18146411} & xuserx2000 {http:#18147942} & whoajack {http:#18155174}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
ASKER