1

I noticed one of our domains has a user that logs in regularly with his domain admin credentials.

I have always known this to be a bad idea, but hoping some one can point out specific examples of exploits, problems, security flaws, etc that could occur.

sammarcow
  • 245
  • 1
  • 3
  • 14
  • 2
    Are you saying that he is logging on as Administrator or that his user account is in the Domain Admins group? If he's logging in as Administrator, where is he logging in? On his workstation? If so, for what purpose? Have you talked to him and asked him why? How did you notice this? Why is it your concern? What's your justification for being concerned? How is it that you know it's a bad idea but don't know why it's a bad idea? – joeqwerty Aug 30 '11 at 13:54

3 Answers3

4

To strictly answer your question, there's always good old mistakes with rm or del. Mistakes with those tools are not fun. I (ahem) have a friend who may have accidentally shut down a server when I -- errr, he -- meant to just logout.

But it's not a bad idea if the person legitimately needs those credentials. I log in with mine many times a day, but as a sysadmin, I need them all over. That said, I don't need admin credentials to read email and browse the web.

If you're in a regulated industry (PCI DSS, SarbOx, HIPAA), you may be required to separate your duties out as much as possible, so an admin can be putting the company (and possibly him- or herself personally) in legal jeopardy. Frankly, that's what finally got us over to being better with our admin credentials.

So the real takeaway, I believe, is to find out why the user is using the domain admin credentials. If the user is creating resources, installing software, etc., then perhaps that's what they need. If you have the time, you can always delegate out lots of AD individual privileges -- we let our helpdesk guy join PCs to the domain and change passwords, but that's about it. But just logging in with domain admin credentials, if you're an admin, doesn't necessarily mean there's cause for alarm.

CC.
  • 1,196
  • 1
  • 10
  • 22
0

No one should have their every day user account be a "domain admin" account and no one should have an every day user account have "administrative" access to more than a handful of machines.

Why? Worms, for one. Get infected by a worm and the worm may try to infect every machine on the network through administrative shares - if you're a domain admin, that means EVERY MACHINE - WORKSTATION OR SERVER - could be SERIOUSLY infected because you (or the person(s)) in question are too lazy to use RunAs or right click an app and select "run as administrator".

That would be the BIGGEST reason I can think of why it's a bad idea.

Some companies may create "Service Technicians" groups and put those groups in the local admins group of all workstations so the service techs always have appropriate access without having access to servers - that's great - BUT, even the service techs need non-privilaged accounts.

Make the users log in as their "every day" accounts and give them admin accounts for when they need to do something. If you must, give them admin rights on their local laptops and desktops that they REGULARLY use, but not all systems. Then don't let them access printers and other "every day resources" as their privilaged users, only as their every day users.

Convincing people to follow the rules can be difficult - especially when they are smart (I can think of a couple of ways around my own recommendation off the top of my head), but if even half the IT staff follows the correct procedures, then that's a potential 50% reduction in problems.

Multiverse IT
  • 1,825
  • 9
  • 11
  • Your narrow view, which unfortunately is shared by far too many people, assumes you understand every conceivable situation and can therefore not see that there are plenty of exceptions to your "rule". What about those who only ever log on to perform administrative tasks and therefore need to have administrative access. Don't try the old "use runas" excuse because that is seldom effective and far too many tools are either not useable or are just a plain pain in the backside under runas. It's high time this sort of misinformation is knocked on the head. – John Gardeniers Aug 31 '11 at 02:50
  • 1
    If you don't know techniques for using runas and Windows effectively without running as an admin, contact me, I'm happy to explain it for your specific circumstance and probably any one you can cite as an example. Just because MS failed to recognize the folly of making everyone an admin 15 yrs ago doesn't mean you have to perpetuate that "rule" today. If you'd like to debate this in a public forum, I'm happy to oblige but I doubt ServerFault.com would appreciate it done here. (though I always see value in a CIVIL debate made public). – Multiverse IT Aug 31 '11 at 07:54
0

Sorry to resurrect an old thread, but there's an issue that wasn't covered here. If a user isn't domain admin, then to perform duties which require domain admin privileges, they're going to have to log in with a shared account. This, in itself, is a violation of many regulatory issues related to audit trail and identity management. With UAC in 7 and 2008/R2, all actions of a domain admin are logged whenever they elevate to the "real" domain admin account - your normal account is only nominally a domain admin. So unless you start a command prompt/explorer window/etc explicitly with "Run as Administrator", there is no risk. And if you do - it's logged.

bab
  • 443
  • 2
  • 6
  • 12