We
customarily use terminal server to connect tothe server we want to modify,
then logon with administrator credentials. If you connect to a DC, then you have
AD tools available as well. Since email, IIS, etc. are not installed on servers,
the opportunity for compromising the system is minimized.
- Jeff M.
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Friday, June 25, 2004 07:00To:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Sarbannes
Oxley compliance
Why can't you start explorer using runas? Shortcut to
the desktop for explorer.exe. Shift+Right-click, runas,
etc...
What about term services? You can always go that
route as well if it's sensitive data.
We have the separate accounts as a best practice vs. a
compliance issue. The best practice came first. With minor
exceptions, it works fine to date. YMMV due to particular cultural and
infrastructure changes, but that's going to be for any change as far as I'm
concerned.
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David
ASent: Thursday, June 24, 2004 9:53 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sarbannes Oxley
compliance
We try
to maintain a least privilege model, and are in the process of tightening down
further. 'Best practices' that you often read about suggest each admin
have a'break glass' kind of administrativeaccount seperate from
their 'day-to-day user' account. We're moving in that direction. One
of the issues there seems to be that admins are used to managing files and
setting NTFS permissions via Explorer...as far as I know, you can't just start
up a new explorer with Runas. I suppose they could use CACLS from a
command prompt, but most want a GUI.
So
I'll add that to Mark's original question...how do y'all approach that if you
use seperate 'admin' accounts for your admins ?
Dave
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Creamer,
MarkSent: Wednesday, June 23, 2004 12:21 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Sarbannes Oxley
compliance
I'm
curious what, if any, changes to everyday administration the folks on this
list are making in preparation for Sarbannes Oxley compliance. Specifically,
is anyone making a conscious effort to remove daily admin rights from people
whose job it is to do domain administration, in favor of a "break the glass
when needed" type of philosophy? I'm just starting to look into this, but I'm
getting the feeling some companies are going overboard. Any observation from
the group is always welcome...
Mark
Creamer
___
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.