+ Post New Thread
Results 1 to 5 of 5
How do you do....it? Thread, Managing and securing the Domain Administrator ? in Technical; Hi People, I'd like to know what's your suggestion or the practice in your organization about the usage of DOMAIN\Administrator ...
  1. #1

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question Managing and securing the Domain Administrator ?

    Hi People,

    I'd like to know what's your suggestion or the practice in your organization about the usage of DOMAIN\Administrator account ?

    At the moment my Windows servers in the domain can all be accessed by this domain administrator and do everything, however this is not the best practice according to the Security Auditor and my Risk manager.

    Please share your experience and thoughts here.

    Thanks.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    edit: Dammit - you mean THE "Administrator" domain admin account don't you?

    Yeah, they're right - you shouldn't be using it except in situations (certain domain actions) that depend on it. We disable the account and set a complex password.

    Every Admin should have their own appropriately named Domain Admin account - i.e "Bob-NCA"*

    -------- Original response ---------

    That's kind of the idea behind the Domain Admin accounts. If your security auditor / risk manager doesn't understand that they need beating / replacing. There's no point attempting to limit/cripple Domain Admin accounts because a) they can undo it trivially and b) you will break poorly written / documented software c) you will be considered "unsupported' by Microsoft. See an AD Team blog that rants about this here:

    Forcing Domain Admins to use AGPM (but not really) - Ask the Directory Services Team - Site Home - TechNet Blogs

    What you can do is employ good admins, don't treat them like slaves and ensure Domain Admin accounts are used appropriately and audit that use. Trust, but verify.

    i.e it's simple to create differentiated accounts. If all I need to do is update $driver on a local machine / server I don't need domain admin access to do it - local admin access will be fine. Adding a domain group (say "workstations admins") to local administrators on workstations and making your trainee tech a member of workstation admins allows him to do his work, but not inadvertantly mess up a server. Making a "Server admins" group members of the local admins group on certain servers accomplishes the same thing.

    Smaller shops tend not to have differentiated permission groups at the admin level, bigger shops do.

    Shipping event logs (via Windows event forwarding, Splunk, snare, Ossec) also ensures that deleting logs on the workstation / server won't cover tracks. Using a host-based IDS (I use Ossec - s' cross-platform) also details modified files according to rules you set up.

    You simply need to show that a) that's the purpose of domain admin accounts b) domain admin access is limited to trusted and qualified people c) how you audit and log that access d) how you ensure it's not used by lazy admins rather than setting up proper permissions.

    *Firstname-Nil Coitus Alto
    Last edited by pete; 1st July 2011 at 10:06 AM.

  3. Thanks to pete from:

    albertwt (4th July 2011)

  4. #3
    sdc
    sdc is offline
    sdc's Avatar
    Join Date
    Apr 2008
    Location
    Dorset, UK
    Posts
    312
    Thank Post
    53
    Thanked 42 Times in 37 Posts
    Rep Power
    41
    As a very simple start, renaming the account to something other than 'administrator' isn't a bad a idea. We also don't use accounts with domain admin rights unless we specifically need to.

  5. Thanks to sdc from:

    albertwt (4th July 2011)

  6. #4

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Quote Originally Posted by pete View Post
    edit: Dammit - you mean THE "Administrator" domain admin account don't you?

    Yeah, they're right - you shouldn't be using it except in situations (certain domain actions) that depend on it. We disable the account and set a complex password.

    Every Admin should have their own appropriately named Domain Admin account - i.e "Bob-NCA"*

    -------- Original response ---------

    That's kind of the idea behind the Domain Admin accounts. If your security auditor / risk manager doesn't understand that they need beating / replacing. There's no point attempting to limit/cripple Domain Admin accounts because a) they can undo it trivially and b) you will break poorly written / documented software c) you will be considered "unsupported' by Microsoft. See an AD Team blog that rants about this here:

    Forcing Domain Admins to use AGPM (but not really) - Ask the Directory Services Team - Site Home - TechNet Blogs

    What you can do is employ good admins, don't treat them like slaves and ensure Domain Admin accounts are used appropriately and audit that use. Trust, but verify.

    i.e it's simple to create differentiated accounts. If all I need to do is update $driver on a local machine / server I don't need domain admin access to do it - local admin access will be fine. Adding a domain group (say "workstations admins") to local administrators on workstations and making your trainee tech a member of workstation admins allows him to do his work, but not inadvertantly mess up a server. Making a "Server admins" group members of the local admins group on certain servers accomplishes the same thing.

    Smaller shops tend not to have differentiated permission groups at the admin level, bigger shops do.

    Shipping event logs (via Windows event forwarding, Splunk, snare, Ossec) also ensures that deleting logs on the workstation / server won't cover tracks. Using a host-based IDS (I use Ossec - s' cross-platform) also details modified files according to rules you set up.

    You simply need to show that a) that's the purpose of domain admin accounts b) domain admin access is limited to trusted and qualified people c) how you audit and log that access d) how you ensure it's not used by lazy admins rather than setting up proper permissions.

    *Firstname-Nil Coitus Alto
    yes that's what I'm talking about, the Enterprise Administrator account.

    I agree, what I should do is to securely keep and manage the usage of that account, we have rename it to something else but of course the SID stays the same -500 which means that this is still the super admin account if the attacker knows it.

    log shipping into dedicated syslog server ? how can we do that on the desktop and Windows server 2003/2008 ?
    for Linux and CISCO devices yes, we've been using that and I know how to set it up.

  7. #5
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    720
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    40
    you shouldnt be using the domain administrator account. create a new account with a different name and give it the rights to perform administrator actions, then disable the administrator account. If you need to do anything with this account, you can use Run As...

SHARE:
+ Post New Thread

Similar Threads

  1. Problems creating a Domain Administrator Account in AD
    By swpmre in forum Windows Server 2008
    Replies: 10
    Last Post: 24th June 2011, 03:34 PM
  2. Auto logoff of Domain Administrator only
    By mrstephenw in forum Windows Server 2000/2003
    Replies: 5
    Last Post: 11th May 2011, 11:05 AM
  3. Domain Administrator
    By Chuckster in forum Windows
    Replies: 4
    Last Post: 6th September 2009, 05:23 PM
  4. Replies: 12
    Last Post: 20th November 2006, 01:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •