Re: Active Directory Domain Administrator Security

["Jenkins, Matthew" <mjenkins7 () FAIRMONTSTATE EDU>]

We use RSA SecurID for all domain admin accounts except one master
account.  We have some service accounts (i.e. backup, monitoring, and
some other things) that require full domain admin privledges.  For these
accounts (and the master account) we use a password generator to
generate extremely long complex passwords and then store the passwords
in a password safe.  We have some applications that connect via LDAP, so
for these applications we create very minimal accounts with complex
passwords, as these apps typically don't secure the password very well
(i.e. Vista, EzProxy, Gartner portal, etc.).

Domain admin access here is extremely controlled.  Only 3 administrators
have domain admin access.  All other administrative access is delegated
using the AD delegation wizard or advanced security permissions on OUs
within our domains.  This allows such things as the support center folks
to go in and move objects around to the correct spots, joining new
computers to the domain, etc.  Delegation is really the key to securing
AD.

All server access (minus of course the DCs) is granted to the
appropriate administrators by adding a domain group to the local
administrators, and then placing the administrators in that group.  This
way we can centrally manage who can login to specific member servers.
Of course, anyone with admin access on the individual servers can add
anyone they want to the local administrators group, so this has to be
audited routinely.

The only downside to two factor authentication, at least RSA's SecurID,
is that it doesn't work for a lot of applications.  To administrate the
domain, we have to RDP into the DCs, instead of using MMC snap-ins on
our desktop (unless someone knows a way around this).

Anyhow, that's some of our routines in a nutshell.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: Harry Flowers [mailto:flowers () memphis edu] 
Sent: Friday, October 20, 2006 6:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Active Directory Domain Administrator Security

Wow, I can hear the crickets chirp... The only responses I've received
so far are from others expressing interest in what I find out.  Have so
few colleges and universities addressed this yet?  I can't imagine that
most have totally been able to avoid basing a good deal of
infrastructure on Windows servers and Active Directory.  We're about
half and half here Windows to Unix/Linux servers, and I imagine most
institutions have a fair number of Windows servers.

I know, everyone is still putting their responses together to give a
really detailed view of what they're doing. ;-)
--
Harry Flowers
Manager, Systems Software
Information Technology Division
The University of Memphis
(901) 678-3650

> -----Original Message-----
> From: Harry Flowers [mailto:flowers () MEMPHIS EDU] 
> Sent: Wednesday, October 18, 2006 2:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Active Directory Domain Administrator Security
>
> How are folks handling security of Domain Admin (DA) 
> accounts?  We have some servers that have shared 
> administrative access (both locally and contracted vendors), 
> so we don't have total control over what may compromise a 
> system.  Even where we do, it's always possible that no 
> matter how careful we are, a system can be compromised by an 
> exploit for which no patches are available.  Once a system is 
> compromised, it's a short step to getting DA credentials if 
> they are used on that system.
> You can assume that patching, antivirus software, and system 
> file monitoring are already taking place; I'm looking for 
> things in addition to the basics.
>
> If you're using two-factor authentication for DA accounts:
> 1) Do you only protect some systems (like your servers and DA 
> desktops), or do you deploy the clients on all desktops?
> 2) What type of two-factor authentication are you using 
> (pseudo-random number generator tokens, fingerprint scanners, etc.)?
> 3) Are you using two-factor authentication for 
> non-administrator accounts as well?
>
> If you've abandoned DA accounts in favor of local admin 
> accounts that can't spread from a compromised system, I'd 
> like to hear how you secure your passwords (use a password 
> safe like KeePass, in how many locations is a copy kept, etc.).
>
> If you are using some type of automated event log 
> consolidation and scanning, I'd like to hear what product you 
> chose, and briefly why you chose it.  (We're in the process 
> of purchasing one.)
>
> I'd also be interested in any other ways people are reducing 
> their exposure to the possibility of compromised DA accounts. 
>  Please reply directly to me, and I'll summarize for the list 
> if there's interest.
> --
> Harry Flowers
> Manager, Systems Software
> Information Technology Division
> The University of Memphis
> (901) 678-3650