RE: [ActiveDir] Some thoughts on securing sensitive accounts....

[Rick Kingslan]

“If you have only one Enterprise admin account, and only one person who knows the credentials for that account, then there are some large organizational risks if something happens to that one person.”   True – one is really asking for a disaster at this point.   My environment – two EA privileged, and the credentials in a sealed envelope with the VP of Information Security.  Everyone else in the management and maintenance infrastructure – vetted DA for the respective domain of their accountable area, and delegated permissions to areas where they are not responsible, but possibly needed in a pinch.   Plus, we mix things up on occasion (what a wonderful thing assigning permissions to GROUPS not USERS) to ensure that there is no collusion occurring between specific areas.   SOX put a whole new spin on this for us.  Opened our (well, OK – I and my peer already knew – management got their butt’s handed to them) eyes to issues that we had in our domain structure and level of control and vulnerability by DA level folks.   -rtk     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, February 25, 2005 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts....   Some of that is symantics. If you have only one Enterprise admin account, and only one person who knows the credentials for that account, then there are some large organizational risks if something happens to that one person.   If you have only one Enterprise admin account, but you have 2 or 3 or 5 people who know the credentials on that account, then you have multiple Enterprise admins. Worse, everything that happens is within the security context of that one account, so you really can't have an audit trail since any one of the 2/3/5 people could have been the one logged in.   You also have to consider that the forest is the security boundary, and that any of your domain admins can potentially elevate their permissions to own the forest. Not that it's easy, but it's not impossible either.   Hunter   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts....  " Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). "   So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term?   Thanks, Francis            From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts.... Hi folks,   I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory?   First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pins....Any other thoughts?   Thanks! Francis Ouellet