[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

Domain Security

I've been tasked with securing our domain from our IT department. Sounds kind of strange but historically all IT employees have had Domain Admin roles assigned, and recently that has changed. This has created holes in their job functions.

I'm coming to the experts to see how they handle their domain security for their support staff. Our support staff report that they need to have access to the servers for general support. I'm entertaining the idea of setting the role of 'Remote Desktop Users' just to allow them to login and interact with the server and its applications but restrict them from making system changes. I know I have to set security how it fits my organization's requirements, but I'm looking to see how everyone else handles their support.

What permission do you grant your support staff?

  • 2
2 Solutions
Aaron TomoskyTechnology ConsultantCommented:
Support staff use admin logins. That doesn't mean Thais main login needs to be a domain admin but they need access to one.
If you don't trust your support staff youre going down. Fast.
pitchfordAuthor Commented:
It's not a matter of trust; its a matter of compliance. If someone uses the admin credentials to steal private data and everyone in the department has that password then it will be dismissed in court. I'm prepared to give them Domain Admin rights but that decision can't come from me. Up until last month the domain admin password was shared with everyone in the department. We are trying to ensure our support staff has the highest level of needed security without granting them access to the kingdom.
Aaron TomoskyTechnology ConsultantCommented:
With IT it's often best to do a system of checks and balances. They don't need THE domain admin login, they can each have their own that is part of the domain admins group. The network guys don't have passwords to the Database and the data guys can't control the network. The server admin can't login to the router...
Mike KlineCommented:
What we have done in several places I've been at is to have the support staff get more granular.  Meaning a lot of people say they need admin rights or rights on servers but ask them what they actually do that requires those rights.

You can then see if you can delegate the rights to them or use built-in groups.  In some cases they may all say "I need to reboot a DC if something is wrong"  Then management has to make the decision that no not everyone really needs to do that.

Some places also go to third party tools to help (Quest and NetIQ have tools but are expensive)



Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now