How to secure the Administrator account?

[David M. Streb, MCSE]

Here's a question I've never really investigated until recently; I'm hoping
I'm missing something...

Administrator Account: We regularly rename and place strong passwords onto
this account. This account is limited to the most trusted employee of the
company and never to the normal "administrator" of the network.

Domain Admins: This is the regular, day-to-day account we assign to the
full-time administrator.

Problem: Members of the "Domain Admins" group are permitted to rename,
reset, and change the "Administrator" account, as well as change group
membership for both the "Administrators" and the "Domain Admins" members. In
other words, a lower, less-trusted administrator is free to whatever he
feels to the most trusted account--it doesn't make sense.

We've tried removing the "Domain Admins" group from the "Administrators"
group, which then prevents "log on locally" rights. When we assign these
rights to the "Domain Admins" group, they can perform all actions just as if
they still belonged to the "Administrators" group. We tried adjusting the
ACLs and DACLs with no success; the "Domain Admin" can simply reverse the
process and eventually add themselves back to the "Administrators Group". We
tried limiting the group membership with "Restricted Groups" in group
policies, which work, but does not prevent the domain admin from changing
the "Administrators" password...once that's accomplished, he can log on as
the "Administrator" and reset his permissions.

The only resolution we have been able to come up with are delegated
"Organizational Units", but that limits the "Domain Admin" from performing
his duties.

Any ideas?

--
David M. Streb, MCSE
Microsoft Certified Partner
Specializing in Exchange
and FrontPage Hosting
http://www.exiis.net
Dave at exiis dot net

 

[Steven L Umbach]

You are not missing anything Dave. The domain admins group is simply a
global group that exists in the administrators group that gives its members
administrator powers just like the administrator. Yes, you can assign
different user rights and acl's to each, but as you mentioned an
administator can always ultimately reissue rights to himself. The difference
for "the"administrator account is that it can not be locked out from
interactive logon, it can not be removed from the administrators group, and
it can not be disabled. You options are to live with that and be careful
with who you make an administrator, use OU's to delegate authority as you
mentioned, or use a multiple domain structure possibly with a empty root
domain where the enterprise administrator resides who is also in the
administrators group of every child domain. --- Steve

 

[Chuck]

Here's a question I've never really investigated until recently; I'm hoping
I'm missing something...

Administrator Account: We regularly rename and place strong passwords onto
this account. This account is limited to the most trusted employee of the
company and never to the normal "administrator" of the network.

Domain Admins: This is the regular, day-to-day account we assign to the
full-time administrator.

Problem: Members of the "Domain Admins" group are permitted to rename,
reset, and change the "Administrator" account, as well as change group
membership for both the "Administrators" and the "Domain Admins" members. In
other words, a lower, less-trusted administrator is free to whatever he
feels to the most trusted account--it doesn't make sense.

1) As you pointed out, your employees have to have system authority
necessary to do their job, balancing the need to maintain network
access against the need to keep the network secure.

2) You have to have employees you can trust, and a written security
policy to let them know what they may and may not do.

3) You have to have an audit trail you can trust, and review the
audit reports frequently enough that you see all events that concern
you, promptly enough to take action effectively.

4) You have to put the fear into your employees, and fire the first
who violates security policy.

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Steven L Umbach]

Another thought. This is not foolproof, but may help deter what you are talking
about. Go to the security properties of the administrator account in Active Directory
and remove those groups that the other administrators would be members of - users,
everyone, domain admins, etc. Add the administrator account with full control and
leave the other machine type accounts including system and also leave self if it is
there. Make sure the inherit from parent box is also deselected. After that, the
other administrators should not have any access to the administrator account. There
is a way to change it back, but most probably do not know how. So it may be worth
looking into. --- Steve

 

[David M. Streb, MCSE]

Thanks Guys!
For a moment I thought I was losing it...

So, why isn't the "Admins" the "Admin"? The final authority? Is it not
possible? What's the equivalent in other systems like Unix and Sun? Or are
they faced with the same challenges?

--
David M. Streb, MCSE
Microsoft Certified Partner
Specializing in Exchange
and FrontPage Hosting
http://www.exiis.net
Dave at exiis dot net

 

[David M. Streb, MCSE]

Seems silly to even have a Domain Admin account...

--
David M. Streb, MCSE
Microsoft Certified Partner
Specializing in Exchange
and FrontPage Hosting
http://www.exiis.net
Dave at exiis dot net

 

[Steven L Umbach]

In a way the administrator is the final authority. He is the only one that can create
more administrators. It has improved much since NT4.0 and Windows 2003 has even more
security groups such as the network configuration group which allows members to
configure tcp/ip settings and such. For the domain, between delegation and the
various built in groups, there is not a reason to have a whole lot of
ministrators. --- Steve

 

[Chuck]

In a way the administrator is the final authority. He is the only one that can create
more administrators. It has improved much since NT4.0 and Windows 2003 has even more
security groups such as the network configuration group which allows members to
configure tcp/ip settings and such. For the domain, between delegation and the
various built in groups, there is not a reason to have a whole lot of
ministrators. --- Steve

To be totally secure, you should have only 1 administrator period.
That 1 person has to be:
1) Totally trustable. Never need audit verification.
2) Totally indestructible. Never get sick, die, or leave the
company.

Short of #1 and #2 being an absolute certainty, you have to segment
and back up his duties, such as the way your company has done.

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.