Educause Security Discussion mailing list archives
Re: Active Directory Domain Administrator Security
From: Steve Lovaas <steven.lovaas () COLOSTATE EDU>
Date: Fri, 20 Oct 2006 17:02:27 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, I'll take the plunge :) At the risk of being the only one to admit this, we don't do nearly as much in this realm as we'd like to do. We have a bunch of domains in a forest - one domain for each of the colleges, and some of the larger departments. Yeah, I know... that a lot for an organization our size. Most of our admin account protection has to do with written procedures and controls, rather than technical ones. Microsoft hasn't made it easier by applying a single password policy to an entire domain, either. But at least this way, if a DA account in one domain gets hacked, it has no special privileges in any of the other domains or in the forest. Generally, our Windows admins are pretty good about the following rules: - - Longer/more complex passwords than the rest of the herd. - - Don't have the DA password be the same as any other one - - Don't log on locally with a DA account; log on as yourself or local admin and then do Run As... We have a few projects pending to look at: - - Two-factor authentication for DAs (as part of a larger deployment) - - Limiting from where (what IP) a DA can interactively log in - - Automated log analysis for DA logins (eventual SIM product?) ...chirp...chirp... #ducks as the slings and arrows fly from the Unix guys Steve Lovaas Colorado State Harry Flowers wrote:
Wow, I can hear the crickets chirp... The only responses I've received so far are from others expressing interest in what I find out. Have so few colleges and universities addressed this yet? I can't imagine that most have totally been able to avoid basing a good deal of infrastructure on Windows servers and Active Directory. We're about half and half here Windows to Unix/Linux servers, and I imagine most institutions have a fair number of Windows servers. I know, everyone is still putting their responses together to give a really detailed view of what they're doing. ;-)-----Original Message----- From: Harry Flowers [mailto:flowers () MEMPHIS EDU] Sent: Wednesday, October 18, 2006 2:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Active Directory Domain Administrator Security How are folks handling security of Domain Admin (DA) accounts?.....
- -- ============================================================== Steven Lovaas, MSIA, CISSP Network & Security Resource Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFOVWC2E9pSXAHWcsRApq/AKDEho2lF4IDPu4SMsRo/KZOQH57fQCcDRKP FnfgWsDoTuHpHnw7v78qxjA= =dtNN -----END PGP SIGNATURE-----
Current thread:
- Active Directory Domain Administrator Security Harry Flowers (Oct 18)
- <Possible follow-ups>
- Re: Active Directory Domain Administrator Security Harry Flowers (Oct 20)
- Re: Active Directory Domain Administrator Security Steve Lovaas (Oct 20)
- Re: Active Directory Domain Administrator Security Greg Francis (Oct 23)
- Re: Active Directory Domain Administrator Security Jenkins, Matthew (Oct 24)
- Re: Active Directory Domain Administrator Security Bill Betlej (Oct 25)
- Re: Active Directory Domain Administrator Security Jenkins, Matthew (Oct 25)