• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2048
  • Last Modified:

Best Practice for Domain Administrators: Single "Superuser" Account or Multiple Domain Admins?

I'm trying to settle a debate with a system administrator regarding the best approach towards server management.  The two opposing points are as follows:

1 (mine): It's best to use a single server administrator account on the server.  Other accounts can and should be used for various services, but you should only use a single user when logging onto the server.  It keeps all files and settings under a single profile, and saves on housekeeping to remove the profiles later.

2 (his): What's the harm in using multiple domain admin users?  It seems that having one password and user ID is much more of a security risk than having individual user ID's and passwords.

My counterpoint to the latter half of point #2 is that I believe that his logic is backwards.  It seems that giving multiple users domain admin privs would be of greater risk, especially if strong passwords are not enforced.

What do the experts think?  Is it one of the above, or is there another way to look at this?  I understand that this is somewhat subjective, so I'll favor answers with links to best practice resources.

Thanks in advance for your time.
0
Earth37
Asked:
Earth37
  • 4
  • 2
  • 2
  • +4
3 Solutions
 
bass20Commented:
I'd use one admin account for administering the server and other (tightly limited, non-administrative) accounts for the services running, but that really depends on your network. Are you referring to one PDC or does that server needs to keep other administrative accounts? Even so, on admin is usually enough and adequate for many cases, you'll have only one secure account who can manage file ownerships, policies and permissions. But if the server holds important data, you should also have a Backup Operator (if you're running Windows) that can log in and backup the data.
I don't see much logic in the other person's argument. If the password is strong, it'll be harder to beat, wheter the server has one or ten admins. And why should you have accounts just lying there? Go for the "preventive" mode: everything is forbidden unless noted otherwise; if you're not using more than one account, don't have other inactive accounts.
Either having one or several admins, strong passwords are ALWAYS a must.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I ran my network as "1" for some time.  But it got messy the bigger we got.  At one point I had 20 people who knew the admin password and most didn't need to use it on a regular basis.  Further, tracking down who did what was a nightmare.  Yes, I could audit things, but every action was by "domainroot", so I had no idea if Jim did that, Dave did that, Mike did that, etc.

Now what happens if you have to fire person x tomorrow and he knows the admin password.  Now you must change it.  But if you assign each individual user an admin account (do NOT assign their regular accounts admin rights), then you can lock out that one person's account and you don't have to change everyone's password.  AND you can track who changes what.  

I also know for a fact two large Biotech companies (that I worked for as a consultant) do things this way as well (this way being "2")
0
 
al-hasanCommented:
I agree with leew's statement: Every domain admin should have his/her own admin account, so tracking down who did what when is possible, and it can be disabled if necessary.
Strong passwords can be enforced, and a capable admin will select a strong password anyway.

Regards,
has.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
bass20Commented:
I think it really depends on the network, each case is a case. If admin auditing and tracking is essencial (I think it's always necessary, the question is, is it essencial?), them multiple accounts are obviously needed.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
The thing is, it's never essential - until something happens, and then it's too late - at least for the first time.
0
 
Ron MalmsteadInformation Services ManagerCommented:
I would avoid your admins sharing the Domain\admin account....and for this reason mostly...

What if one admin makes some changes, and it has a negative affect on your system.....you wouldn't know for certain which one made the change...because the event logs just say Administrator.

Another reason....what if you want to RDP into the server to do some management tasks.....Your other admin logs in...and you get booted in the middle of whatever it is your doing.

Another reason....Whoever is "in charge"...your IT manager...should be the only person with the Domain\administrator password....why you ask ?...what if you fire one of your IT guys....sometimes changing the domain admin account password can cause services accross your organization to fail...(backups, exchange, web, sql).....Changing the admin password isn't always just as simple as changing the password.....But it's no problem to delete an account with domain admin rights.

Plus the Administrator account logon will be cached on all of your xp machines...so if you changed it....you still will have to use the old pw in some circustances to get into client machines....and now you have two passwords floating around cached in clients accross your organization.

IT manager should know the Administrator password...and everyone else should have a separate account not knowing what the domain\administrator password is.
0
 
Rich RumbleSecurity SamuraiCommented:
I read what others said breifly, so forgive me if this is repetitive:
Each user should have their own admin account, for accountability and tracking purposes. But the second part to that is that you must be logging properly to show accountability and tracking, no log's = no tracking. Programs like Snare or SELM are great at parsing through the event log's and keeping a second record of the data just incase someone starts to cover their tracks. http://www.intersectalliance.com/projects/SnareWindows/ http://www.gfi.com/lanselm/

Now probably equal to or greater than what's been said, is that the admin accounts should only be used for admin task's, nothing more. When a virus or eve spy-ware get's on a PC it's able to run in the same security context of the current user, and if that user is an admin, than the viri/spyware have admin rights as well.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_whynot_admin.mspx

Now I know it's cliche but... "with great power, comes great responsibility" is very true for administrators, even local ones, but espically domain admins. You should keep the domain admin's to a minimum, but perhaps limit the abilities of admin's- Say you have 5 guys, 2 of them you trust over all others to only do good with the priv's, so they are absolute domain admin's, but you don't know the other 3 as well, so you give them rights to only user's machines, and certain part's of the servers, like the printer shares.

Security isn't a program, it's a process, you have to have guidlines and checks-and-balances to keep things as secure as possible. You should do audit's of yourselves or one another in a controlled fashion and with concent, and try to keep up on best practices as much as possible. RunAs can take some getting used to, but there are ways to automate it, however they aren't as secure as I'd like- See these 2 links: http://xinn.org/RunasVBS.html http://www.experts-exchange.com/Security/Win_Security/Q_21276195.html#13059845 (the drag and drop script works for lots of stuff)

So in summary:
1) Do not sure a single admin acount, there is little accountability
2) Enable more than the default event log's, turn up the security settings on server and workstations.
3) Get a program to help you sort through the event log's and or alert you to possible maleficence that may be afoot.
4) Setup and follow best practices. Infrom/educate your fellow admins, and get some policies written: http://www.sans.org/resources/policies/

Also of note, you may want to turn off the storage of the LM hash on PC's and servers as there are programs (becoming more and more popular these days) that are precomputing every possible LM hash, creating a DB if you will, and allowing you to find ANY password in minutes. So random passwords that are under 14 chars aren't even secure any more, if they were even more secure in the first place. I see a virus or spyware program in the future that is going to query one of these DB's after obtaining the LM hash of your password, and since you weren't following best practices, it was easy to use DLL injection to obtain the hash, and then submit the query to find your password.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&
Also of note, any password over 14 char's automatically causes the LM hash to be null in the SAM, but with this registry setting, you don't have to require a 14char pass. And no one is going to precompute the NTLM hash anytime soon, if LM is 64 gig's of data, all caps, and only 7 char's long(there are two 7 char halves), imagine 127chars(possible) case Insensitive.... http://www.antsight.com/zsl/rainbowcrack/ http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Typo's...(there are more I'm sure)
1) Do not SHARE a single admin acount, there is little accountability
-rich
0
 
selhsCommented:
Personally I have a small network, yet my boss whom is an accountant desires to use that admin password. Since i'm the only one that is computer literate I only use the master account and I provide the other people that "request" admin access a different account to use. This helps me keep track of what people are doing and it limits others from screwing up the servers. We also have sensitive information concerning patient information, so it is necessary for us to be more secure. I recommend only the administrator having administrative access, and let those that desire it much lower access. 95% percent of people wouldn't know the difference if they weren't signed on as an administrator anyways, so protect yourself and your server, multiple accounts!
0
 
Earth37Author Commented:
Thank you to everyone for your comments, especially Bass20 and Leew.  This was exactly what I was looking for.

Rich, I'm going to have to hand this to you for your thoroughness and links to bp and kb articles.  I didn't approach this question from an auditor's perspective, but it makes sense.  It's a pet peeve of mine when multiple user profiles are left behind on a server.  I guess I'll have to work through that if I want to follow best practices.  Looks like my friend wins the debate!

This is my first question posed to the Experts, and you didn't let me down!

Thanks for all of your help,
Brad
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
In the future, in case you weren't aware, you can split the points among experts whose input you found useful.
0
 
Earth37Author Commented:
Thank you, Leew.  I think that I've got the hang of it now.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
no problem, thanks for the points.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 4
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now