Some of that is symantics. If you have only one Enterprise
admin account, and only one person who knows the credentials for that account,
then there are some large organizational risks if something happens to that one
person.
If you have only one Enterprise admin account, but you have
2 or 3 or 5 people who know the credentials on that account, then you have
multiple Enterprise admins. Worse, everything that happens is within the
security context of that one account, so you really can't have an audit trail
since any one of the 2/3/5 people could have been the one logged
in.
You also have to consider that the forest is the security
boundary, and that any of your domain admins can potentially elevate their
permissions to own the forest. Not that it's easy, but it's not impossible
either.
Hunter
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 1:15 PM
To: [email protected]
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts....
" Then you have your actual
Enterprise Admins and that should be a small group, maybe 2-5 people depending
on your size (I worked on a team of 3 people and supervisor for a 250,000 user
deployment). "
So I'm assuming that
you have more than 1 Enterprise admin in your root domain? Isn't that agains't
all the white papers out there stating that you shouldn't have more than one
ent. admin. in your forest and all other admins should be domain
admins in their own respective domain? Or did you use enterprise admin as a
generic term?
Thanks,
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 1:45 PM
To: [email protected]
Subject: [ActiveDir] Some thoughts on securing sensitive accounts....
Hi
folks,
I'm was thinking the
other day of the best way to secure schema and enterprise admin accounts. What
would you do if you had "carte blanche" to secure sensitive accounts in an
enterprise directory?
First things that
came to mind were using mandatory smart cards for SA and EA accounts kept in a
safe where only designated employes knew the pins....Any other
thoughts?
Thanks!
Francis
Ouellet
