Domain Security

Posted on 2011-10-24
Last Modified: 2012-05-12
I've been tasked with securing our domain from our IT department. Sounds kind of strange but historically all IT employees have had Domain Admin roles assigned, and recently that has changed. This has created holes in their job functions.

I'm coming to the experts to see how they handle their domain security for their support staff. Our support staff report that they need to have access to the servers for general support. I'm entertaining the idea of setting the role of 'Remote Desktop Users' just to allow them to login and interact with the server and its applications but restrict them from making system changes. I know I have to set security how it fits my organization's requirements, but I'm looking to see how everyone else handles their support.

What permission do you grant your support staff?

Question by:pitchford
    LVL 38

    Expert Comment

    by:Aaron Tomosky
    Support staff use admin logins. That doesn't mean Thais main login needs to be a domain admin but they need access to one.
    If you don't trust your support staff youre going down. Fast.
    LVL 3

    Author Comment

    It's not a matter of trust; its a matter of compliance. If someone uses the admin credentials to steal private data and everyone in the department has that password then it will be dismissed in court. I'm prepared to give them Domain Admin rights but that decision can't come from me. Up until last month the domain admin password was shared with everyone in the department. We are trying to ensure our support staff has the highest level of needed security without granting them access to the kingdom.
    LVL 38

    Accepted Solution

    With IT it's often best to do a system of checks and balances. They don't need THE domain admin login, they can each have their own that is part of the domain admins group. The network guys don't have passwords to the Database and the data guys can't control the network. The server admin can't login to the router...
    LVL 57

    Assisted Solution

    by:Mike Kline
    What we have done in several places I've been at is to have the support staff get more granular.  Meaning a lot of people say they need admin rights or rights on servers but ask them what they actually do that requires those rights.

    You can then see if you can delegate the rights to them or use built-in groups.  In some cases they may all say "I need to reboot a DC if something is wrong"  Then management has to make the decision that no not everyone really needs to do that.

    Some places also go to third party tools to help (Quest and NetIQ have tools but are expensive)



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    This tutorial will show how to inventory, catalog, and restore media from legacy versions of Backup Exec into both 2012 and 2014 versions of the software. Select Storage from the tabs along the ribbon bar as the top: Ensure the proper storage devi…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now