2000 Domain Admin Best Practices

G

Guest

I'm a little rusty with AD security...but was wondering if there are
resources out there or can anyone break down what the best practices are
regarding overall Domain security in terms of Administrators.

1. How many built in administrator accounts are there? Is there just one
overall domain "Administrator" account who is part of the Domain
Administrator group for an AD Forest? Should you rename the ID and then
change the Administrator password and keep this in an encrypted DB or in an
envelope just in case the Admins leave the company?

2. Should you rename all Administrator accounts, enable logging on the
domain in case that password is changed and then make all the Sys Admin's use
their own IDs as part of the Domain Admin group?

3. Are there many services on domain controllers that use "Administrator"
for system access? Would you have to change that password as well or does it
propagate automatically?

Whats the best way to limit the abuse of a domain admin, make them
accountable, log their actions but still allow them to do their day to day
duties such as add/remove users, change persmissions, reset passwords, etc?
I'm looking for overall best practices to eliminate the use of that shared
Administrator ID (Or any domain Admin ID for that matter). We're looking to
prevent abuse of power but not interfere with job duties. We want to rename
this ID but then also at the same time we need to know the effects within the
enterprise on doing so. How many different types of depedencies are there on
this built in ID?

Any help, assistance, comments or references to some good best practice
security articles on AD would be great. Thanks!
 
J

Jorge_de_Almeida_Pinto

I'm a little rusty with AD security...but was wondering if
there are
resources out there or can anyone break down what the best
practices are
regarding overall Domain security in terms of Administrators.


1. How many built in administrator accounts are there? Is
there just one
overall domain "Administrator" account who is part of the
Domain
Administrator group for an AD Forest? Should you rename the
ID and then
change the Administrator password and keep this in an
encrypted DB or in an
envelope just in case the Admins leave the company?

2. Should you rename all Administrator accounts, enable
logging on the
domain in case that password is changed and then make all the
Sys Admin's use
their own IDs as part of the Domain Admin group?

3. Are there many services on domain controllers that use
"Administrator"
for system access? Would you have to change that password as
well or does it
propagate automatically?

Whats the best way to limit the abuse of a domain admin, make
them
accountable, log their actions but still allow them to do
their day to day
duties such as add/remove users, change persmissions, reset
passwords, etc?
I'm looking for overall best practices to eliminate the use of
that shared
Administrator ID (Or any domain Admin ID for that matter).
We're looking to
prevent abuse of power but not interfere with job duties. We
want to rename
this ID but then also at the same time we need to know the
effects within the
enterprise on doing so. How many different types of
depedencies are there on
this built in ID?

Any help, assistance, comments or references to some good best
practice
security articles on AD would be great. Thanks!
Click to expand...

Additional Tips:

A tip for delegation (per organization this may depend, but this
should give you a hint how to do it):
* create separate admin accounts to perform admin tasks
* Define the admin roles in your organization
* Define all the admin tasks performed by those roles in your
organization
* Create an OU for the Admin roles and the admin tasks
* Do not delegate the management of the roles and the tasks to groups
or persons other than the domain admins
* Create an OU for the Admin accounts
* Do not delegate the management of the admin accounts to groups or
persons other than the domain admins
* Create separate OUan OU for the Admin roles
* Setup admin roles represented by a security groups in AD
* Setup all kinds of tasks represented by a security groups in AD
* Give the task groups the appropriate permissions in AD and on
servers through the delegation of control wizard and through GPOs
(restricted groups feature)
* Make the role groups a member of the apropriate tasks
* Make the admin accounts a member of the appropriate roles (most of
the time 1 admin account only has one role assigned)
* Protect the admin accounts OU, the admin roles and tasks OU

For delegating tasks see the following white papers. They are very
good!
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

* Always use service accounts for services when needed. Otherwise use
the default system account
* Configure and enable auditing on the default strong groups and on
the roles and tasks groups to see what changes are made to those
groups

There are also a lot of ebooks available on the net that describe
security issues (Quest, Scriptlogoc, NetIQ)

Good luck
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Hiding an OU from AD query 3
Migration Domain 3
Which Account permission to grant 1
AD design question....again 4
Subdomain Group Administratration 2
Domain Admin Password Change 2
Help! Rename Administrator Account 4
Renaming Admin ID - Making Sys Admins Accountable 3

Top