On Tue, Feb 28, 2012 at 15:25, Ben Scott <[email protected]> wrote: > On Tue, Feb 28, 2012 at 1:12 PM, Free, Bob <[email protected]> wrote: >> If you want to look at really tightening things up search out the articles >> Laura >> Robinson has written about running with 0 domain admins. While eliminating >> DAs might not be possible in your environment, her ideas definitely get you >> thinking about least privilege. > > While privilege separation is an extremely useful concept, I suspect > for at least some of us (myself, certainly, and I believe Kurt too), > its utility is somewhat diminished by the fact that all the privileged > roles fall on the same small group of people. It's not worthless for > us, but it's a lot more effective in a large org, where you have > different people handling the different tasks. When one person is > doing everything from a single PC, logging into 42 different accounts > isn't going to yield nearly as much benefit.
To a large degree, yes, I fit that profile. I have an IT manager over me, I'm the infrastructure team supervisor, and I have two minions - all of us have DA accounts along side of our normal user accounts. I'd prefer it if the manager didn't have DA access, and I'm pretty convinced I'm a bit early in granting at least one of my minions DA access (the former is a cowboy and the latter will be good at some point, but lacks a bit of training that I don't have time to give) I support most everything, and so far having two accounts as worked well enough. However, I'm still thinking hard about at least a 3rd account for servers, especially where other members of IT log into them, and a 4th account just for end-user machines. The other members of IT are a DBA/CRM/business analyst, an ERP programmer and a web application developer. One other thing that I've been mulling over along with the other credentials is a set of VMs on which to run them. Want to manage AD/DNS/WINS/CA? RDP into this Win7 VM with the correct tools on it. Want to manage AV/WSUS/other workstation stuff? Log into that Win7 VM over there with those tools on it. Lather, Rinse, Repeat. Then my laptop would be just another end-user station, with much reduced chances of getting my elevated credentials compromised. I'm not convinced it's the right way to go, but that's what mulling it over means... Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
