Re: Windows Domain Controllers: Risks involved

["Tupker, Mike" <mtupker () MTMERCY EDU>]

We have had a single domain for as long as we have used active directory.

- Domain admins can access the files of any computer in the domain. How do you ensure the confidentiality and privacy 
of users and data?
There are only a select few people that have domain admin rights here (3 to be exact). A lot of organizations actually 
setup a separate account from an admins normal account that has been given domain admin rights. For example: 
username-admin. The idea is that they only login with the domain admin account to domain controllers and other 
computers that may need domain admin rights.

- In you implementations, do you include the computers of the top management?
If you want to centrally manage them then yes. Also you may run into some issues with applications if you want to use 
single sign on using the credentials of the current user.

- Do you give faculty and staff, high level access to install applications, or installation requests have be channeled 
to the domain admins?
All our users are setup as power users. It was kind of a tradeoff from giving them all local admin rights. With power 
user rights they can install some basic applications. Also it is possible to publish allowed applications through GPO. 
Once that's setup it's just a matter of the user going to add remove programs and installing the published application. 
If it's something that can't be setup through application publishing then we have a special group on all the desktops 
called desktop admins that grants the technicians admin rights with their login. (they don't need to be domain admins 
in other words)

- Is there any tips, recommendations, or lessons learned on implementing a campus wide domain controller?
Setup at least two of them. It will allow users to authentication while you rebuild the failed DC. Trust me this is 
VERY handy.

Mike Tupker
Systems Administrator
Mount Mercy College
Office: (319) 363-1323 x1401
Mobile: (319) 538-1644
If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu.
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Marmina 
Abdel Malek
Sent: Friday, March 13, 2009 5:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows Domain Controllers: Risks involved

Dear All,
        I'm assessing the idea of implementing a campus wide domain controller to include faculty and staff computers, 
as well as student labs computers.

I understand all the advantages of centralized management of all the campus computers, but I have some concerns that I 
would like to know how did you react to them:

- Domain admins can access the files of any computer in the domain. How do you ensure the confidentiality and privacy 
of users and data?

- In you implementations, do you include the computers of the top management?

- Do you give faculty and staff, high level access to install applications, or installation requests have be channeled 
to the domain admins?

- Is there any tips, recommendations, or lessons learned on implementing a campus wide domain controller?

Best Regards,
Marmina Abdel-Malek
IT Security Officer
The American University in Cairo
Tel : +202-2615-3561
Fax: +202-2795-6746
Email: marmina () aucegypt edu<mailto:marmina () aucegypt edu>
web: www.aucegypt.edu<http://www.aucegypt.edu>