42 sounds like the perfect number :) Agreed, but I'd suspect 3 would be a pretty beneficial place to start: 1) Unprivileged standard user 2) Local administrator 3) Domain administrator
-----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Tuesday, February 28, 2012 5:26 PM To: NT System Admin Issues Subject: Re: Log on to DC directly On Tue, Feb 28, 2012 at 1:12 PM, Free, Bob <[email protected]> wrote: > If you want to look at really tightening things up search out the > articles Laura Robinson has written about running with 0 domain > admins. While eliminating DAs might not be possible in your > environment, her ideas definitely get you thinking about least privilege. While privilege separation is an extremely useful concept, I suspect for at least some of us (myself, certainly, and I believe Kurt too), its utility is somewhat diminished by the fact that all the privileged roles fall on the same small group of people. It's not worthless for us, but it's a lot more effective in a large org, where you have different people handling the different tasks. When one person is doing everything from a single PC, logging into 42 different accounts isn't going to yield nearly as much benefit. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
