Educause Security Discussion mailing list archives

Re: Domain Access Rights

From: Brad Judy <brad.judy () CU EDU>
Date: Tue, 7 Mar 2017 21:34:37 +0000

By “domain access rights”, do you mean their role/group in Active Directory?

As a general philosophy, I minimize my team’s access to anything.  If we need elevated access for one-time audits, we 
can work with a normal admin to get the data we need.  If we need it on-going (say for authenticated vulnerability 
scans) that access is on a service account instead of our user accounts.  We still have some instances of user-specific 
privileged access, but it’s the exception, not the rule.

If I expect others to hold to a “least privilege” approach, then I need to hold my team to that as well.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Barton, Robert W." <bartonrt () LEWISU EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, March 7, 2017 at 2:19 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Domain Access Rights

Afternoon,

We are discussing what domain access rights the security team should have to get their work done.  What rights do some 
of you with small teams have?  Different by level (CISO vs tech)?  Do you have a portion of the team with very little 
access, so they can do pen testing (small teams may not have option…)?

Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663


This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy 
this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

Current thread:

Domain Access Rights Barton, Robert W. (Mar 07)
- Re: Domain Access Rights Miguel Hernandez (Mar 07)
- Re: Domain Access Rights Brad Judy (Mar 07)
- Re: Domain Access Rights Adam Maynard (Mar 07)