1

I am trying to beef up my domain security, and part of this process (as after somr RTFM) is:

  • Service Administrator Accounts - for services (Anti Virus, spiceworks, Task Scheduler, NAS backup, SQL admin, etc..)
  • Personal Administrator Accounts for admins (CIO, CTO, RD Mgr...)
  • try to limit use of the domain admin to NULL

however, I am having trouble organizing in my head the way the these accounts should be:

  • for the service ADM accounts - it's pretty clear (have access to only what they need to do, and remove gui access )

  • but for the personal administrators: what are the credentials they (I and others) need to be?

Since I will create literally the same work, only login as the adm.myuser.name with a password, should I add my self to the Administrators group?

  • Doing that does help a bit in controlling the users, limiting shared accounts etc, but is that how it should be done?

  • what is the best practice to have such Personal Domain Administrators?

  • Once I start in this road, there gonna be so many more users that I need to control and monitor - how do I do that? - How do I monitor my srv.adm.sql user ?

Saariko
  • 1,791
  • 14
  • 45
  • 75

1 Answers1

3

Regarding personal administrator accounts, there are two roads to take here:

  1. Everyone gets a personal-administrator account, as well as a normal-user account.
  2. Everyone gets a personal-administrator account that they use for normal things.

Obviously the first is the more secure option, but reality suggests that many admins will just use that and not bother with the other. Which is why the second option is there. Separate admin accounts increases auditability of your environment, which is a right and true thing to do.

Living with two accounts, a normal one and an elevated one, is quite doable but takes some work to really live with successfully. The problem with Windows is that it only sometimes works to "run-as" certain management tools as your elevated account. One option is to have a Terminal Server somewhere that admins must log into to use their elevated accounts. Another option is admin-only virtual-machines.

As for monitoring their usage, it would require some form of security monitoring environment wide, which you may or may not have. There are many ways to do that, which is beyond the scope of this question. If you go with the 'separate admin accounts, login-restricted to certain admin-workstations' route, you can monitor those security logs directly which may be easier than an environment-wide solution.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • Thanks for a detailed answer. Can you please also comment on the Service Account user please? – Saariko Aug 26 '12 at 16:19
  • So the idea is just to NOT share the Domain Administrator - but leave the rest the same? I guess I can follow that – Saariko Aug 26 '12 at 16:32
  • 1
    @Saariko The Service Account accounts are types I consider 'utility accounts'; accounts used for one purpose only. They're never logged into, only used in automation. I'm not sure what your question is, actually. – sysadmin1138 Aug 26 '12 at 18:52