Re: Active Directory Domain Administrator Security

[Steve Lovaas <steven.lovaas () COLOSTATE EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, I'll take the plunge :)

At the risk of being the only one to admit this, we don't do nearly as
much in this realm as we'd like to do.

We have a bunch of domains in a forest - one domain for each of the
colleges, and some of the larger departments. Yeah, I know... that a lot
for an organization our size. Most of our admin account protection has
to do with written procedures and controls, rather than technical ones.
Microsoft hasn't made it easier by applying a single password policy to
an entire domain, either. But at least this way, if a DA account in one
domain gets hacked, it has no special privileges in any of the other
domains or in the forest.

Generally, our Windows admins are pretty good about the following rules:

- - Longer/more complex passwords than the rest of the herd.
- - Don't have the DA password be the same as any other one
- - Don't log on locally with a DA account; log on as yourself or local
admin and then do Run As...

We have a few projects pending to look at:
- - Two-factor authentication for DAs (as part of a larger deployment)
- - Limiting from where (what IP) a DA can interactively log in
- - Automated log analysis for DA logins (eventual SIM product?)

...chirp...chirp...

#ducks as the slings and arrows fly from the Unix guys

Steve Lovaas
Colorado State



Harry Flowers wrote:
> Wow, I can hear the crickets chirp... The only responses I've received
> so far are from others expressing interest in what I find out.  Have so
> few colleges and universities addressed this yet?  I can't imagine that
> most have totally been able to avoid basing a good deal of
> infrastructure on Windows servers and Active Directory.  We're about
> half and half here Windows to Unix/Linux servers, and I imagine most
> institutions have a fair number of Windows servers.
>
> I know, everyone is still putting their responses together to give a
> really detailed view of what they're doing. ;-)
>
> > -----Original Message-----
> > From: Harry Flowers [mailto:flowers () MEMPHIS EDU]
> > Sent: Wednesday, October 18, 2006 2:12 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Active Directory Domain Administrator Security
> >
> > How are folks handling security of Domain Admin (DA)
> > accounts?.....
- --
==============================================================
Steven Lovaas, MSIA, CISSP
Network & Security Resource Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
==============================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFOVWC2E9pSXAHWcsRApq/AKDEho2lF4IDPu4SMsRo/KZOQH57fQCcDRKP
FnfgWsDoTuHpHnw7v78qxjA=
=dtNN
-----END PGP SIGNATURE-----