Re: Active Directory Domain Administrator Security

[Greg Francis <francis () GONZAGA EDU>]

Our use of the the DA accounts are extremely limited. There are  
currently only three DAs at our main campus domain and they use their  
DA account primarily only to login to DCs. We have created groups that  
our technicians use on local workstations and servers that have  
delegated privileges sufficient to perform localized tasks but having  
no significant domain rights other than to create and delete  
workstations from selected OUs. User account management is handled  
similarly.

Every once in awhile, we have had a situation where we have had to  
login to a workstation with a DA account. Those instances are very  
rare though.

We are not using two-factor authentication at this point.

Greg

--
Greg Francis                                  Gonzaga University
Sr. System Administrator, Central Computing   Spokane Washington
francis () gonzaga edu                           509-323-6896


Quoting Harry Flowers <flowers () memphis edu>:

> Wow, I can hear the crickets chirp... The only responses I've received
> so far are from others expressing interest in what I find out.  Have so
> few colleges and universities addressed this yet?  I can't imagine that
> most have totally been able to avoid basing a good deal of
> infrastructure on Windows servers and Active Directory.  We're about
> half and half here Windows to Unix/Linux servers, and I imagine most
> institutions have a fair number of Windows servers.
>
> I know, everyone is still putting their responses together to give a
> really detailed view of what they're doing. ;-)
> --
> Harry Flowers
> Manager, Systems Software
> Information Technology Division
> The University of Memphis
> (901) 678-3650
>
> > -----Original Message-----
> > From: Harry Flowers [mailto:flowers () MEMPHIS EDU]
> > Sent: Wednesday, October 18, 2006 2:12 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Active Directory Domain Administrator Security
> >
> > How are folks handling security of Domain Admin (DA)
> > accounts?  We have some servers that have shared
> > administrative access (both locally and contracted vendors),
> > so we don't have total control over what may compromise a
> > system.  Even where we do, it's always possible that no
> > matter how careful we are, a system can be compromised by an
> > exploit for which no patches are available.  Once a system is
> > compromised, it's a short step to getting DA credentials if
> > they are used on that system.
> > You can assume that patching, antivirus software, and system
> > file monitoring are already taking place; I'm looking for
> > things in addition to the basics.
> >
> > If you're using two-factor authentication for DA accounts:
> > 1) Do you only protect some systems (like your servers and DA
> > desktops), or do you deploy the clients on all desktops?
> > 2) What type of two-factor authentication are you using
> > (pseudo-random number generator tokens, fingerprint scanners, etc.)?
> > 3) Are you using two-factor authentication for
> > non-administrator accounts as well?
> >
> > If you've abandoned DA accounts in favor of local admin
> > accounts that can't spread from a compromised system, I'd
> > like to hear how you secure your passwords (use a password
> > safe like KeePass, in how many locations is a copy kept, etc.).
> >
> > If you are using some type of automated event log
> > consolidation and scanning, I'd like to hear what product you
> > chose, and briefly why you chose it.  (We're in the process
> > of purchasing one.)
> >
> > I'd also be interested in any other ways people are reducing
> > their exposure to the possibility of compromised DA accounts.
> >  Please reply directly to me, and I'll summarize for the list
> > if there's interest.
> > --
> > Harry Flowers
> > Manager, Systems Software
> > Information Technology Division
> > The University of Memphis
> > (901) 678-3650