none
Coming from Linux to Windows - Locking down local and remote access to Administrator account

    Question

  • Folks:

    I am coming from a Linux environment, and recently started studying for the 70-410. Currently I am enjoying learning about Windows and the ecosystem. However, I have a few questions, which I am a little confused as to how Windows handles.

    What I am familiar with:

    Disable root login via console and remote SSH. Individuals have to login as a normal user, and elevate their rights to Root or elevated with sudo. This provides a log entre for user login, and elevated rights, for accountability.

    Question:

    I noticed I can disable the general Administrator account; however, what will this break? What solution or methods should I take to force uses to use their accounts? Is there a method to limit their administrator privileges for specific tasks? I have thought about creating two accounts for my admins, one account with admin privileges, and the other as a normal user account; however, due to being new with Windows, I am not sure if that is the best route.

    I am looking for direction and suggestions as to deal with the above issues?

    Thank you

    JJ

    Friday, October 04, 2013 3:11 AM

Answers

  • Welcome in Windows World :-)

    Try to abstract from Linux here when studying 70-410.  Highest Admin is Built-in-Administrator. If you need administrator rights, create one with least priviledges that you need for your task.

    Normal users access server remotely. There is no need for normal user to logon locally on server.

    Regards

    Milos

    Saturday, October 05, 2013 8:43 PM
  • Welcome :-)

    Having two account is a policy that each company adapt. It came when trojan & virus started to spread a lot more easilly. As if you work with your admin credential, like in linux, if you get a trojan, the impact can be really bigger.

    In my own opinion I prefer to keep only myselft and some user login into the server with a admin account, and all other helpdesk IT I deleguate admin right into their own account. (so their account are not admin, but can do admin task). After that you can install RSOP and the remote admin kit into their computer.

    From there they get access to the console you choose. (DHCP, DNS, etc...)

    If you deleguate right into your AD directly, they will be able to open the console, but only able to do what they are supposed to do.

    An error I often see is an admin that give "domain admain" to a helpdesk collegue in exemple. When the user is such admin he can log in to any server to change anything.

    For computer I usually change the password, and I distribute it to my helpdesk's team. So they can use a run as easilly when they are logged into a remote computer under a normal account. (you could give the helpdesk group local admin right to all computer too, but it's another way to do it)

    Some reference; How to View or Delete Active Directory Delegated Permissions

    Best Practices for Delegating Active Directory Administration, Delegate Control of an Organizational Unit

    Thanks 


    MCP | MCTS - Exchange 2007, Configuring | Member of the TechNet Wiki Community Council | Member of the TechNet Wiki International Council | French Moderator on TechNet Wiki (Translation Widget)| Citrix Certified Administrator : XenApp | Citrix Certified Administrator : XenDesktop

    Sunday, October 06, 2013 2:59 AM
    Moderator

All replies

  • Welcome in Windows World :-)

    Try to abstract from Linux here when studying 70-410.  Highest Admin is Built-in-Administrator. If you need administrator rights, create one with least priviledges that you need for your task.

    Normal users access server remotely. There is no need for normal user to logon locally on server.

    Regards

    Milos

    Saturday, October 05, 2013 8:43 PM
  • Welcome :-)

    Having two account is a policy that each company adapt. It came when trojan & virus started to spread a lot more easilly. As if you work with your admin credential, like in linux, if you get a trojan, the impact can be really bigger.

    In my own opinion I prefer to keep only myselft and some user login into the server with a admin account, and all other helpdesk IT I deleguate admin right into their own account. (so their account are not admin, but can do admin task). After that you can install RSOP and the remote admin kit into their computer.

    From there they get access to the console you choose. (DHCP, DNS, etc...)

    If you deleguate right into your AD directly, they will be able to open the console, but only able to do what they are supposed to do.

    An error I often see is an admin that give "domain admain" to a helpdesk collegue in exemple. When the user is such admin he can log in to any server to change anything.

    For computer I usually change the password, and I distribute it to my helpdesk's team. So they can use a run as easilly when they are logged into a remote computer under a normal account. (you could give the helpdesk group local admin right to all computer too, but it's another way to do it)

    Some reference; How to View or Delete Active Directory Delegated Permissions

    Best Practices for Delegating Active Directory Administration, Delegate Control of an Organizational Unit

    Thanks 


    MCP | MCTS - Exchange 2007, Configuring | Member of the TechNet Wiki Community Council | Member of the TechNet Wiki International Council | French Moderator on TechNet Wiki (Translation Widget)| Citrix Certified Administrator : XenApp | Citrix Certified Administrator : XenDesktop

    Sunday, October 06, 2013 2:59 AM
    Moderator