Administration Elevation (best practice and why elevate)

Can anyone point me towards the best practice in elevating permissions for IT engineers. I am sure there is documentation out there on this and would appreciate pointers.

1) why not provide engineer accounts with Admin rights (or not)
2) why have secondary accounts with additional permissions

By using elevated permissions does this have added security in the event a laptop is lost (they then can not reverse engineer the administratrion logon details)?

Many thanks
Who is Participating?
rindiConnect With a Mentor Commented:
It should be pretty straight forward and clear. Never use a PC logged on with an account that has admin rights. If you do that the chances are higher that malicious code can be executed and the user doesn't know. Besides that, if the user forgets to log off when he leaves the PC for a short period, and the screensaver hasn't yet come on, someone else can easily use that admin account to harm the system. With UAC you can easily use the other account that has Admin rights to do things that need elevated rights.

If the laptop is stolen the account type won't help to keep the crooks from your data. For that you need other things. For example use a BIOS password so that you can only start the laptop if the correct password is used then. Those passwords can't be reset without knowing them, or without the help of the laptop manufacturer, and then they require proof of ownership. This makes the PC useless and unsellable to the crooks.

Also set the HD password via the BIOS. That makes the disk useless to anyone who doesn't know that password. These passwords can't be reset even if you have proof of ownership or via the manufacturers. You need to know the password to reset it.

Use disk encryption. That way, even if the BIOS and HD passwords get reset because the thief either knows it, or via try and error, he won't be able to read the data on the disk.
btanConnect With a Mentor Exec ConsultantCommented:
It is about adopting cyber hygiene in this case is for adhering to least privileged principle which in short only give what is required for the role to function effectively and with optimal efficiency, at best. Indeed there is document for limiting the privileges such as
Unfortunately, the path of least resistance in many environments has proven to be the overuse of accounts with broad and deep privilege. Broad privileges are rights and permissions that allow an account to perform specific activities across a large cross-section of the environment- for example, Help Desk staff may be granted permissions that allow them to reset the passwords on many user accounts.

Deep privileges are powerful privileges that are applied to a narrow segment of the population, such giving an engineer Administrator rights on a server so that they can perform repairs. Neither broad privilege nor deep privilege is necessarily dangerous, but when many accounts in the domain are permanently granted broad and deep privilege, if only one of the accounts is compromised, it can quickly be used to reconfigure the environment to the attacker's purposes or even to destroy large segments of the infrastructure.

Granting of excessive privilege isn't only found in Active Directory in compromised environments. When an organization has developed the habit of granting more privilege than is required, it is typically found throughout the infrastructure. This also include the use of "Enterprise Admin" group, by default, members of the built-in Administrators group in each domain in the forest
When EA access is required, the users whose accounts require EA rights and permissions should be temporarily placed into the Enterprise Admins group. Although users are using the highly privileged accounts, their activities should be audited and preferably performed with one user performing the changes and another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration. When the activities have been completed, the accounts should be removed from the EA group. This can be achieved via manual procedures and documented processes, third-party privileged identity/access management (PIM/PAM) software, or a combination of both
We should really review the role and addition needs for the Engineer role define, such as identify & review (in reference to best practice):

1.Which tasks members of the role perform on a day-to-day basis and which tasks are less frequently performed.
2.On which systems and in which applications members of a role should be granted rights and permissions.
3.Which users should be granted membership in a role.
4.How management of role memberships will be performed.

This is why also the needs for the management and oversight of privileged users (if Engineer is admin or given more rights as required) to opt for safeguards be in place first. It may be just ad-hoc purpose instead the perm "super admin"

•Credential "vaults," where passwords for privileged accounts are "checked out" and assigned an initial password, then "checked in" when activities have been completed, at which time passwords are again reset on the accounts.
•Time-bound restrictions on the use of privileged credentials
•One-time-use credentials
•Workflow-generated granting of privilege with monitoring and reporting of activities performed and automatic removal of privilege when activities are completed or allotted time has expired
•Replacement of hard-coded credentials such as user names and passwords in scripts with application programming interfaces (APIs) that allow credentials to be retrieved from vaults as needed
•Automatic management of service account credentials
JohnConnect With a Mentor Business Consultant (Owner)Commented:
1) why not provide engineer accounts with Admin rights (or not)

After 15 years of working with this, it is never correct to make users into Administrators.

Pick one in the group to install software and make Windows Updates automatic.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.