locked
Securing Domain, Users/ Groups, etc. RRS feed

  • Question

  • I am new to administering a Windows server domain and Active Directory and have a couple of questions.  I am a 1 man show at a company with only 50 users, 1 domain, and 1 domain controller (well there is a backup).  Am I correct in saying that I don't need to bother with the "Builtin" section of AD?  All of the groups that concern me are in the "Users" section?

    On my network everyone has limited local user rights.  When I want to do something that requires administrator priveleges on a PC I will log in as the domain admin.  Is this OK?  If not what admin account should I use?

    I read that I should disable or rename the Guest and Administrator accounts (located in the Users section of AD). Can the Administrator account just be renamed without reprocussion or should I create another Administrator account?

    I log into the servers using the domain admin account.  I hear I'm not supposed to do that.  But if I create another account with administrator rights won't I have to make it a member of the Domain Admin's group anyway? 

    Should I be accessing the servers using an account that's part of the Domain Admin's group or is there another type of Admin account I should be using?

    I read that any services that run under the existing domain admin account should be reconfigured to run under a service account.  How do I create a service user account and won't I have to create that account as part of the Domain Admin group?  So why do it?

    I believe the Domain Admin's password has been used long enough that it may be more public then I was aware.  All of these questions stem from researching how to change the Domain Admin password.  I would like to make sure I am making us more secure but obviously have some learning to do. 

    Thanks for all the help,
    MJ

     

    Wednesday, September 2, 2009 5:07 PM

Answers

  • generally, it is insecure to log on to workstations with domain powerfull accounts, because the workstations are not physically secure (there can be virusses, keyloggers, hw keyloggers, etc.). when you type the domain admin password on a workstation you never know who really has the access to the workstation and could see/log you password.

    for the purposes of logging on to workstations to do local administrator tasks, you should be using the local adminstrator password. Or, you can also dedicate a limited domain user account to be member of LOCAL administrators group on the workstations.

    Then, if somebody steals the password, he will have access only to a limited set of workstations where the user is member of the local admins.

    If you want to do this assignement centrally - add a user/group as a member of local admins on workstations - you can use Group Policy - Restricted Groups feature, or if you have all the workstations running at least XP, you could make use of Group Policy Preferences in a more granular way.

    In regard to the servers, the servers are usually physically secure, you have control over who can access them physically and could install the keyloggers etc, so for servers, you could log on by domain admin. Though as a best practice, you still should create a dedicated server admin account that you would use for the purpose.

    There are not built-in groups that would provide you with the simple assignement. In both cases, you either need to assign local admins manually on each workstation/server or do it by using the Restricted Groups policy or the Group Policy Preferences.

    ondrej.
    • Marked as answer by Joson Zhou Thursday, September 10, 2009 9:49 AM
    Friday, September 4, 2009 8:33 AM
  • Hi,

     

    You may refer to the following article for more information:

     

    Active Directory Best practices

    http://technet.microsoft.com/en-us/library/cc778219(WS.10).aspx

     

    Hope it helps.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Thursday, September 10, 2009 9:49 AM
    Tuesday, September 8, 2009 10:18 AM

All replies

  • generally, it is insecure to log on to workstations with domain powerfull accounts, because the workstations are not physically secure (there can be virusses, keyloggers, hw keyloggers, etc.). when you type the domain admin password on a workstation you never know who really has the access to the workstation and could see/log you password.

    for the purposes of logging on to workstations to do local administrator tasks, you should be using the local adminstrator password. Or, you can also dedicate a limited domain user account to be member of LOCAL administrators group on the workstations.

    Then, if somebody steals the password, he will have access only to a limited set of workstations where the user is member of the local admins.

    If you want to do this assignement centrally - add a user/group as a member of local admins on workstations - you can use Group Policy - Restricted Groups feature, or if you have all the workstations running at least XP, you could make use of Group Policy Preferences in a more granular way.

    In regard to the servers, the servers are usually physically secure, you have control over who can access them physically and could install the keyloggers etc, so for servers, you could log on by domain admin. Though as a best practice, you still should create a dedicated server admin account that you would use for the purpose.

    There are not built-in groups that would provide you with the simple assignement. In both cases, you either need to assign local admins manually on each workstation/server or do it by using the Restricted Groups policy or the Group Policy Preferences.

    ondrej.
    • Marked as answer by Joson Zhou Thursday, September 10, 2009 9:49 AM
    Friday, September 4, 2009 8:33 AM
  • Hi,

     

    You may refer to the following article for more information:

     

    Active Directory Best practices

    http://technet.microsoft.com/en-us/library/cc778219(WS.10).aspx

     

    Hope it helps.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Thursday, September 10, 2009 9:49 AM
    Tuesday, September 8, 2009 10:18 AM