Educause Security Discussion mailing list archives
Re: Domain Access Rights
From: Brad Judy <brad.judy () CU EDU>
Date: Tue, 7 Mar 2017 21:34:37 +0000
By “domain access rights”, do you mean their role/group in Active Directory? As a general philosophy, I minimize my team’s access to anything. If we need elevated access for one-time audits, we can work with a normal admin to get the data we need. If we need it on-going (say for authenticated vulnerability scans) that access is on a service account instead of our user accounts. We still have some instances of user-specific privileged access, but it’s the exception, not the rule. If I expect others to hold to a “least privilege” approach, then I need to hold my team to that as well. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [u-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Barton, Robert W." <bartonrt () LEWISU EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, March 7, 2017 at 2:19 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Domain Access Rights Afternoon, We are discussing what domain access rights the security team should have to get their work done. What rights do some of you with small teams have? Different by level (CISO vs tech)? Do you have a portion of the team with very little access, so they can do pen testing (small teams may not have option…)? Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Current thread:
- Domain Access Rights Barton, Robert W. (Mar 07)
- Re: Domain Access Rights Miguel Hernandez (Mar 07)
- Re: Domain Access Rights Brad Judy (Mar 07)
- Re: Domain Access Rights Adam Maynard (Mar 07)