Are you using domain administrator accounts to manage Active Directory (AD) or support end-user devices? Here are some tips and best practices to help improve security and change control.
It’s a common scenario. A new employee joins the IT department, and the first task is to provide them with access, often in the form of an account with domain administrator privileges. I’ve always found it somewhat curious that organizations often entrust strangers with the keys to their kingdom. What if that person turns out to be incompetent, causing an outage or loss of critical data? While it might seem an unlikely situation, permanently assigning employees highly-privileged access to servers should be carefully considered.
If the security risks aren’t high enough, the ability for IT staff to make system-level changes to servers without the oversight of a change control process also ought to be a concern. Is it enough to trust that staff follow procedures for performing changes to IT systems? What about regulatory compliance and providing clients with confidence in your IT systems?
LepideAuditor Suite can be used to monitor changes to Windows Server, but preventing unauthorized change by properly securing access should also be a priority. Read on to learn about three easy ways to start improving security and change control in your organization.
- Isolate Server Roles and Applications
The falling cost of virtualization technologies over the past few years has given organizations of all sizes the ability to isolate business applications and services. For example, it’s always been best practice to avoid installing applications or additional server roles on domain controllers. The reason being that to get local administrator access to a domain controller requires you to hold domain administrator privileges.
Installing SQL, line-of-business applications, and other server roles that require regular administration, on dedicated virtual machines makes it easier to secure assets by minimizing the use of domain administrator accounts, and other accounts that hold privileges beyond what is required for a given task.
- Delegate Administrative Privileges
Microsoft Active Directory (AD) has always had the capability to delegate privileges to groups of users, and in more recent versions of Windows Server, role-based access and other authentication mechanisms have improved the controls available.
The Delegation of Control Wizard in Active Directory Users and Computers allows IT to assign groups the ability to perform specific operations on AD objects, such as resetting user passwords, and modifying and creating Group Policy Objects. In other words, you don’t need to be a domain administrator to create a user account in Active Directory!
- Devise a Strategy to Support End User Devices
Always configure PCs so that domain administrator accounts aren’t used for support purposes. Consider a standard Windows 7 domain-joined PC. In order to make a remote desktop connection to it, you need to use an account with local administrator privileges, which are automatically inherited by domain administrators, or one that is a member of the Remote Desktop Users group. In my previous blog post, Failure to Secure End-User Devices Leaves Servers and Data at Risk, I outlined some of the reasons why domain administrator accounts shouldn’t be used to administer end-user devices, including the increased risk that domain administrator credentials could be compromised on PCs that aren’t appropriately secured.