RE: [ActiveDir] Sarbannes Oxley compliance

[Menten, Jeff]

We customarily use terminal server to connect to the server we want to modify, then logon with administrator credentials. If you connect to a DC, then you have AD tools available as well. Since email, IIS, etc. are not installed on servers, the opportunity for compromising the system is minimized.       - Jeff M. From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 2004 07:00 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Sarbannes Oxley compliance Why can't you start explorer using runas?  Shortcut to the desktop for explorer.exe.  Shift+Right-click, runas, etc... What about term services?  You can always go that route as well if it's sensitive data.   We have the separate accounts as a best practice vs. a compliance issue.  The best practice came first.  With minor exceptions, it works fine to date.  YMMV due to particular cultural and infrastructure changes, but that's going to be for any change as far as I'm concerned.   Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, June 24, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Sarbannes Oxley compliance We try to maintain a least privilege model, and are in the process of tightening down further.  'Best practices' that you often read about suggest each admin have a 'break glass' kind of administrative account seperate from their 'day-to-day user' account.  We're moving in that direction.  One of the issues there seems to be that admins are used to managing files and setting NTFS permissions via Explorer...as far as I know, you can't just start up a new explorer with Runas.  I suppose they could use CACLS from a command prompt, but most want a GUI.   So I'll add that to Mark's original question...how do y'all approach that if you use seperate 'admin' accounts for your admins ? Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Creamer, Mark Sent: Wednesday, June 23, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Sarbannes Oxley compliance I'm curious what, if any, changes to everyday administration the folks on this list are making in preparation for Sarbannes Oxley compliance. Specifically, is anyone making a conscious effort to remove daily admin rights from people whose job it is to do domain administration, in favor of a "break the glass when needed" type of philosophy? I'm just starting to look into this, but I'm getting the feeling some companies are going overboard. Any observation from the group is always welcome...   Mark Creamer ___________________________________________________________________________ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.