Administrative account advice needed

The powers-that-be in my organization are putting forth a policy stating that all IT staff with administrative authority on computers and servers (techs, sysadmins, etc) must have those Active Directory (2003) security permissions placed on a secondary account.

Their idea is that it provides MORE security to create 2 accounts for every IT staffer that falls into that category, leaving them with a normal user account with no more privileges than your average user, and an account (with the same username, by the way, just with a "_admin" at the end) that has their extra privileges on it.

I have always believed that more user accounts than you need is always a bad thing.  Especially when you consider that I know for a fact this policy will not be backed up by increased account auditing.  

I want to fight this policy and show them they are wrong.  Points will go to anyone who gives me some good ammunition or anyone who successfully changes my mind.  I'm open-minded on this, so I could be convinced.
LVL 6
msluneckaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
I can kinda see your point on the "more accounts" side.  BUT, I have to agree with your company.  YOU should NEVER be logged in to your office desktop as an admin unless its to do something briefly.  Lets say you get a virus - this is the one day you do something stupid and you get infected with something so new there's no protection for it yet.  Your account has admin privilages.  Now that virus operates as an admin and can infect your servers, all your workstations, EVERYTHING.  BUT, if you are on a system with a normal user account, that virus can't do anything more than a normal user.  You're protected.  Or at least your network and every other workstation is less at risk because you're not normally logged in as the admin you used to be.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
msluneckaAuthor Commented:
leew I would agree with you if I didn't see the evidence every day that most viruses these days don't really care whether you're logged in as an administrator or not.  They use exploits that get right around that.  YOu don't even have to be logged into a system to get the worst viruses these days.  It just needs to be on a vulnerable network (which ours is, sadly).  Not to mention that fact that a huge number of our normal "users" have administrative privleges on their machine.  That's something we're really fighting to change, but it came out of the fact that there was no real IT department here for a long time so people just bought computers as they needed them without any centralization.

The viruses are an interesting aspect to their argument that I've never actually heard them make.  I know the argument well about having users logged on as users and not administrators.  I just find it to be hypocritical of them to force us, the people who need these privileges the most, and who would be the most inconvenienced to have to deal with doing runas and constant login/logouts, to log in as users and continue to let the rest of the organization do as they please because it's too big a political battle.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Just because most new viruses behave one way doesn't mean someone can't write one to do things "the old way"

How about this, you write a script and tell it to del *.* /q and execute in a for loop, but you make a coding error and it starts wiping out every system on the network.

I've been using Windows for 10 years - it's what I started with.  but I find it a far better system with how Linux/Unix does things - only root is the admin.  No one else.  You may get SUDO privilages, but they time out.  It's just plain more secure to NOT be constantly logged in as an admin - ESPECIALLY not as a domain admin.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

msluneckaAuthor Commented:
I realize it's just an example, but del *.* /q would only erase the local computer, and it would be entirely recoverable.  I'm going to let this thread run for a day or so and then I'll award points.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
No hurry for points - I'd like to see if anyone else has comments and what they are.
0
msluneckaAuthor Commented:
As would I.  Yours were helpful.  I agree with you about domain admins.  We just got this new domain and all these new rules are coming along with it.  Some good some bad.  The old domain has a couple dozen domain admins.  Yeah I know...pretty bad.  Now we have 2 and they both use separate accounts for that.
0
WeHeCommented:
we have the same policy for admin accounts.
all admins have two accounts, one normal, one with admin privilegs.
it's a microsoft recommendation to use a normal account and start programs with "run as" for your admin tasks.
but no one uses the normal account in my office.
every admin is working with his admin account, as we do much more admin tasks as normal tasks.
but if there will be any AD (destroyable) Virus or some virus spreading on connected server shares, it may turn into a desaster.
it should be best praxis to start IE and Mail with your normal account ("run as"), if you logged on as domain admin.
0
harleyjdCommented:
It's not just virii you need to be worried about, it's user error, too. Everyone makes mistakes, and there's the possibility that with an admin account you're using in normal day-to-day work you screw something up royally.

What if you are logged in as admin, and walk away for lunch, forgetting to log off/lock up. Sneakyuser1 can come along behind you and do naughty things without interference.

0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Or sneaky admin who wants you blamed for something....
0
WeHeCommented:
btw, about how much accounts are we talking?
How much Users? How much Admins?
in our domain, with about 12000 users, i don't care about this 50 additional ADM accounts. :)
0
msluneckaAuthor Commented:
Sounds like most of you are taking the approach that being logged in as an administrator is a bad thing.  I agree with you when it comes to normal users...but my whole job requires administrative privileges.  Certainly there are things like web browsing and reading my email that I don't need to be an admin for, but I think we all know what would happen if everyond had a separate admin account from their user account.  Their passwords would most likely be the same, and users would just be logged in as administrator all the time.

I know it's against microsoft's recommendation, but I think that although in theory it is a "best practice" it really just invites a lot of abuse.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Keep in mind, I was an admin for 5 years - THE windows admin for a company of 1000 users/30+ servers - so I undersatnd what your talking about, but running as an admin is a bad thing.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.