Administration Elevation (best practice and why elevate)

Posted on 2016-08-30
Last Modified: 2016-09-18
Can anyone point me towards the best practice in elevating permissions for IT engineers. I am sure there is documentation out there on this and would appreciate pointers.

1) why not provide engineer accounts with Admin rights (or not)
2) why have secondary accounts with additional permissions

By using elevated permissions does this have added security in the event a laptop is lost (they then can not reverse engineer the administratrion logon details)?

Many thanks
Question by:ncomper
LVL 88

Accepted Solution

rindi earned 200 total points (awarded by participants)
ID: 41776106
It should be pretty straight forward and clear. Never use a PC logged on with an account that has admin rights. If you do that the chances are higher that malicious code can be executed and the user doesn't know. Besides that, if the user forgets to log off when he leaves the PC for a short period, and the screensaver hasn't yet come on, someone else can easily use that admin account to harm the system. With UAC you can easily use the other account that has Admin rights to do things that need elevated rights.

If the laptop is stolen the account type won't help to keep the crooks from your data. For that you need other things. For example use a BIOS password so that you can only start the laptop if the correct password is used then. Those passwords can't be reset without knowing them, or without the help of the laptop manufacturer, and then they require proof of ownership. This makes the PC useless and unsellable to the crooks.

Also set the HD password via the BIOS. That makes the disk useless to anyone who doesn't know that password. These passwords can't be reset even if you have proof of ownership or via the manufacturers. You need to know the password to reset it.

Use disk encryption. That way, even if the BIOS and HD passwords get reset because the thief either knows it, or via try and error, he won't be able to read the data on the disk.
LVL 63

Assisted Solution

btan earned 200 total points (awarded by participants)
ID: 41776213
It is about adopting cyber hygiene in this case is for adhering to least privileged principle which in short only give what is required for the role to function effectively and with optimal efficiency, at best. Indeed there is document for limiting the privileges such as
Unfortunately, the path of least resistance in many environments has proven to be the overuse of accounts with broad and deep privilege. Broad privileges are rights and permissions that allow an account to perform specific activities across a large cross-section of the environment- for example, Help Desk staff may be granted permissions that allow them to reset the passwords on many user accounts.

Deep privileges are powerful privileges that are applied to a narrow segment of the population, such giving an engineer Administrator rights on a server so that they can perform repairs. Neither broad privilege nor deep privilege is necessarily dangerous, but when many accounts in the domain are permanently granted broad and deep privilege, if only one of the accounts is compromised, it can quickly be used to reconfigure the environment to the attacker's purposes or even to destroy large segments of the infrastructure.

Granting of excessive privilege isn't only found in Active Directory in compromised environments. When an organization has developed the habit of granting more privilege than is required, it is typically found throughout the infrastructure. This also include the use of "Enterprise Admin" group, by default, members of the built-in Administrators group in each domain in the forest
When EA access is required, the users whose accounts require EA rights and permissions should be temporarily placed into the Enterprise Admins group. Although users are using the highly privileged accounts, their activities should be audited and preferably performed with one user performing the changes and another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration. When the activities have been completed, the accounts should be removed from the EA group. This can be achieved via manual procedures and documented processes, third-party privileged identity/access management (PIM/PAM) software, or a combination of both
We should really review the role and addition needs for the Engineer role define, such as identify & review (in reference to best practice):

1.Which tasks members of the role perform on a day-to-day basis and which tasks are less frequently performed.
2.On which systems and in which applications members of a role should be granted rights and permissions.
3.Which users should be granted membership in a role.
4.How management of role memberships will be performed.

This is why also the needs for the management and oversight of privileged users (if Engineer is admin or given more rights as required) to opt for safeguards be in place first. It may be just ad-hoc purpose instead the perm "super admin"

•Credential "vaults," where passwords for privileged accounts are "checked out" and assigned an initial password, then "checked in" when activities have been completed, at which time passwords are again reset on the accounts.
•Time-bound restrictions on the use of privileged credentials
•One-time-use credentials
•Workflow-generated granting of privilege with monitoring and reporting of activities performed and automatic removal of privilege when activities are completed or allotted time has expired
•Replacement of hard-coded credentials such as user names and passwords in scripts with application programming interfaces (APIs) that allow credentials to be retrieved from vaults as needed
•Automatic management of service account credentials
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 100 total points (awarded by participants)
ID: 41776223
1) why not provide engineer accounts with Admin rights (or not)

After 15 years of working with this, it is never correct to make users into Administrators.

Pick one in the group to install software and make Windows Updates automatic.

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Troubleshooting MDT 13 44
print server and spool/raster file creation 2 25
Group Policy - Windows ADMX Central Store 2 24
How often Should you reconcile DHCP manually? 1 31
OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question