?
Solved

Administrative account advice needed

Posted on 2004-11-18
12
Medium Priority
?
185 Views
Last Modified: 2010-04-19
The powers-that-be in my organization are putting forth a policy stating that all IT staff with administrative authority on computers and servers (techs, sysadmins, etc) must have those Active Directory (2003) security permissions placed on a secondary account.

Their idea is that it provides MORE security to create 2 accounts for every IT staffer that falls into that category, leaving them with a normal user account with no more privileges than your average user, and an account (with the same username, by the way, just with a "_admin" at the end) that has their extra privileges on it.

I have always believed that more user accounts than you need is always a bad thing.  Especially when you consider that I know for a fact this policy will not be backed up by increased account auditing.  

I want to fight this policy and show them they are wrong.  Points will go to anyone who gives me some good ammunition or anyone who successfully changes my mind.  I'm open-minded on this, so I could be convinced.
0
Comment
Question by:mslunecka
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 600 total points
ID: 12619627
I can kinda see your point on the "more accounts" side.  BUT, I have to agree with your company.  YOU should NEVER be logged in to your office desktop as an admin unless its to do something briefly.  Lets say you get a virus - this is the one day you do something stupid and you get infected with something so new there's no protection for it yet.  Your account has admin privilages.  Now that virus operates as an admin and can infect your servers, all your workstations, EVERYTHING.  BUT, if you are on a system with a normal user account, that virus can't do anything more than a normal user.  You're protected.  Or at least your network and every other workstation is less at risk because you're not normally logged in as the admin you used to be.
0
 
LVL 6

Author Comment

by:mslunecka
ID: 12619904
leew I would agree with you if I didn't see the evidence every day that most viruses these days don't really care whether you're logged in as an administrator or not.  They use exploits that get right around that.  YOu don't even have to be logged into a system to get the worst viruses these days.  It just needs to be on a vulnerable network (which ours is, sadly).  Not to mention that fact that a huge number of our normal "users" have administrative privleges on their machine.  That's something we're really fighting to change, but it came out of the fact that there was no real IT department here for a long time so people just bought computers as they needed them without any centralization.

The viruses are an interesting aspect to their argument that I've never actually heard them make.  I know the argument well about having users logged on as users and not administrators.  I just find it to be hypocritical of them to force us, the people who need these privileges the most, and who would be the most inconvenienced to have to deal with doing runas and constant login/logouts, to log in as users and continue to let the rest of the organization do as they please because it's too big a political battle.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12619948
Just because most new viruses behave one way doesn't mean someone can't write one to do things "the old way"

How about this, you write a script and tell it to del *.* /q and execute in a for loop, but you make a coding error and it starts wiping out every system on the network.

I've been using Windows for 10 years - it's what I started with.  but I find it a far better system with how Linux/Unix does things - only root is the admin.  No one else.  You may get SUDO privilages, but they time out.  It's just plain more secure to NOT be constantly logged in as an admin - ESPECIALLY not as a domain admin.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 6

Author Comment

by:mslunecka
ID: 12620214
I realize it's just an example, but del *.* /q would only erase the local computer, and it would be entirely recoverable.  I'm going to let this thread run for a day or so and then I'll award points.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12620229
No hurry for points - I'd like to see if anyone else has comments and what they are.
0
 
LVL 6

Author Comment

by:mslunecka
ID: 12620255
As would I.  Yours were helpful.  I agree with you about domain admins.  We just got this new domain and all these new rules are coming along with it.  Some good some bad.  The old domain has a couple dozen domain admins.  Yeah I know...pretty bad.  Now we have 2 and they both use separate accounts for that.
0
 
LVL 11

Assisted Solution

by:WeHe
WeHe earned 450 total points
ID: 12620407
we have the same policy for admin accounts.
all admins have two accounts, one normal, one with admin privilegs.
it's a microsoft recommendation to use a normal account and start programs with "run as" for your admin tasks.
but no one uses the normal account in my office.
every admin is working with his admin account, as we do much more admin tasks as normal tasks.
but if there will be any AD (destroyable) Virus or some virus spreading on connected server shares, it may turn into a desaster.
it should be best praxis to start IE and Mail with your normal account ("run as"), if you logged on as domain admin.
0
 
LVL 15

Assisted Solution

by:harleyjd
harleyjd earned 450 total points
ID: 12620731
It's not just virii you need to be worried about, it's user error, too. Everyone makes mistakes, and there's the possibility that with an admin account you're using in normal day-to-day work you screw something up royally.

What if you are logged in as admin, and walk away for lunch, forgetting to log off/lock up. Sneakyuser1 can come along behind you and do naughty things without interference.

0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12620778
Or sneaky admin who wants you blamed for something....
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12620847
btw, about how much accounts are we talking?
How much Users? How much Admins?
in our domain, with about 12000 users, i don't care about this 50 additional ADM accounts. :)
0
 
LVL 6

Author Comment

by:mslunecka
ID: 12626016
Sounds like most of you are taking the approach that being logged in as an administrator is a bad thing.  I agree with you when it comes to normal users...but my whole job requires administrative privileges.  Certainly there are things like web browsing and reading my email that I don't need to be an admin for, but I think we all know what would happen if everyond had a separate admin account from their user account.  Their passwords would most likely be the same, and users would just be logged in as administrator all the time.

I know it's against microsoft's recommendation, but I think that although in theory it is a "best practice" it really just invites a lot of abuse.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12626799
Keep in mind, I was an admin for 5 years - THE windows admin for a company of 1000 users/30+ servers - so I undersatnd what your talking about, but running as an admin is a bad thing.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question