Re: Active Directory Domain Administrator Security

[Harry Flowers <flowers () MEMPHIS EDU>]

Wow, I can hear the crickets chirp... The only responses I've received
so far are from others expressing interest in what I find out.  Have so
few colleges and universities addressed this yet?  I can't imagine that
most have totally been able to avoid basing a good deal of
infrastructure on Windows servers and Active Directory.  We're about
half and half here Windows to Unix/Linux servers, and I imagine most
institutions have a fair number of Windows servers.

I know, everyone is still putting their responses together to give a
really detailed view of what they're doing. ;-)
--
Harry Flowers
Manager, Systems Software
Information Technology Division
The University of Memphis
(901) 678-3650

> -----Original Message-----
> From: Harry Flowers [mailto:flowers () MEMPHIS EDU] 
> Sent: Wednesday, October 18, 2006 2:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Active Directory Domain Administrator Security
>
> How are folks handling security of Domain Admin (DA) 
> accounts?  We have some servers that have shared 
> administrative access (both locally and contracted vendors), 
> so we don't have total control over what may compromise a 
> system.  Even where we do, it's always possible that no 
> matter how careful we are, a system can be compromised by an 
> exploit for which no patches are available.  Once a system is 
> compromised, it's a short step to getting DA credentials if 
> they are used on that system.
> You can assume that patching, antivirus software, and system 
> file monitoring are already taking place; I'm looking for 
> things in addition to the basics.
>
> If you're using two-factor authentication for DA accounts:
> 1) Do you only protect some systems (like your servers and DA 
> desktops), or do you deploy the clients on all desktops?
> 2) What type of two-factor authentication are you using 
> (pseudo-random number generator tokens, fingerprint scanners, etc.)?
> 3) Are you using two-factor authentication for 
> non-administrator accounts as well?
>
> If you've abandoned DA accounts in favor of local admin 
> accounts that can't spread from a compromised system, I'd 
> like to hear how you secure your passwords (use a password 
> safe like KeePass, in how many locations is a copy kept, etc.).
>
> If you are using some type of automated event log 
> consolidation and scanning, I'd like to hear what product you 
> chose, and briefly why you chose it.  (We're in the process 
> of purchasing one.)
>
> I'd also be interested in any other ways people are reducing 
> their exposure to the possibility of compromised DA accounts. 
>  Please reply directly to me, and I'll summarize for the list 
> if there's interest.
> --
> Harry Flowers
> Manager, Systems Software
> Information Technology Division
> The University of Memphis
> (901) 678-3650