Generally you shouldn't need a "schema admin" account.
During your normal running state, there should be no reason to have anyone in
that group. You definitely don't want to have some generic ID with that access
as I don't believe in managing the directory like that from generic "function
based" accounts. There are two times you need the Schema Admins access.
Updating the schema which should be a very controlled event and moving the
schema FSMO role. Since that role isn't really needed EXCEPT during schema
updates you don't really need to move it around all that much except maybe when
doing a Schema Update.
On the enterprise admin account, again ditto. There should
be one ID that is probably in Ent Admins by default (it doesn't even need to be
in that group but may save a little extra work if you have to use it for
recovery), that is the built in root domain Admin ID. That ID should not be
used, its password should be set to some obscenely long password at least
greater than 14 characters and put in an envelope and anyone who has it
memorized should be shot. There should be no requirement to use that ID. Then
you have your actual Enterprise Admins and that should be a small group, maybe
2-5 people depending on your size (I worked on a team of 3 people and supervisor
for a 250,000 user deployment). Using smart cards for those admins isn't a bad
idea. Those admins were also the only domain admins or people with permissions
to write to DCs due to the logical security implications surrounding
DCs.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 1:45 PM
To: [email protected]
Subject: [ActiveDir] Some thoughts on securing sensitive accounts....
Hi
folks,
I'm was thinking the
other day of the best way to secure schema and enterprise admin accounts. What
would you do if you had "carte blanche" to secure sensitive accounts in an
enterprise directory?
First things that
came to mind were using mandatory smart cards for SA and EA accounts kept in a
safe where only designated employes knew the pins....Any other
thoughts?
Thanks!
Francis
Ouellet
