-2

I was browsing through Microsoft's Best Practices for Securing Active Directory and saw the chart linked which includes some of the best practices included in the document, rated by importance.

At number 6 is "Prevent powerful accounts from being used on unauthorized systems." I am taking this to mean that certain accounts, i.e. task-oriented admins (think DNS admins) cannot log into "unauthorized systems" such as a client PC on the network.

When people think powerful accounts, they tend to think administrators which have access to everything. However, if an organization implements LUA tasks can be delegated to various admins so that all power does not reside in one group, which would make it possible to restrict such things.

Is #6 only possible when a domain implements delegation of authority and uses LUA? If that is not the correct viewpoint, what is meant by this statement?

Note: Number 5 is "Protect and monitor accounts for users who have access to sensitive data" - which, in a perfect world, would mean principle of least privilege / delegation, yes?

cutrightjm
  • 344
  • 2
  • 13
  • You should ask the one who wrote the Document for what he meant exactly. 5: in my understanding no. – Dennis Nolte Dec 20 '14 at 14:01
  • 1
    The actual paper is at http://www.microsoft.com/en-us/download/details.aspx?id=38785 , #6 you are close on, #5 is about ensuring that accounts are monitored for compromise, as well as insuring that the account is not easily compromised (MFA, certificate auth, etc.) – Jim B Dec 20 '14 at 22:04

1 Answers1

3

I'm assuming that this means, for example, not logging in with your domain administrator credentials in order to do your daily work on your workstation. If so, you would have a "normal" user account to do your "normal" work and a domain admin account that you use specifically for domain admin activities. For your DNS admin example, same thing--there's a separate account that s/he uses for daily work, and the DNS admin account for DNS admin work.

I've worked at places that do it both ways, and I personally prefer the separate account approach. For example, a previous employer suggested I get work email on a personal blackberry. This would have required storing domain admin credentials on my cell provider's servers, so I refused. I also occasionally had a desktop tech ask me to take a look at a machine that was "acting funny," and it always creeped me out to have to do that with domain admin credentials (I'd immediately change my password afterwards).

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
  • 1
    Well. I think how you "prevent" something is... open to interpretation across individual organizations. I've seen a wide spectrum, and none of my former employers barred domain admins from any resource. Well. Except the president of the company's personal network share, with the caveat to him that 1. it was being backed up (so your content is on a backup drive) and 2. we can really get in to it (by changing permissions), but we won't. One former employer said they would have one domain admin, period, and wouldn't grant Exchange admins domain privs, but relented. – Katherine Villyard Dec 20 '14 at 05:22
  • 1
    I would take a look at the full whitepaper, rather than the excerpts to explain the secure administrative model: http://www.microsoft.com/en-us/download/details.aspx?id=38785 – Jim B Dec 20 '14 at 22:00
  • @JimB I've been looking through the full white paper - if you look on the pages in the very beginning, the chart that is linked above is also linked there – cutrightjm Dec 21 '14 at 05:03
  • Yes and appendix C-I give step by step instructions on how to secure accounts, appendix L gives a list of events to monitor for. The guide is fairly explicit on what your options are, the only thing missing is a discussion of data security (understandable because it is only about securing AD not data and access in the environment) – Jim B Dec 21 '14 at 18:57