RISK = LIKELIHOOD X CONSEQUENCES for all of us...
If you are a very large financial, government,<fill in the blank> institution it's probably a necessary evil. In the case of a firm like that, there are many billions at risk and even if the likelihood is extremely low, the consequences are unacceptable so the cost of the risk avoidance is a part of doing business. Many of the general concepts he advocated can be applied to any size organization. They happened to have taken ITIL to an extreme that I had not previously encountered or even imagined. It also took an incident of sufficient magnitude to get upper management's attention and buy in at that firm. The level of operational maturity they have attained has taken a couple of years and a lot of effort. He shared that the whole initiative stemmed from an IT outage where Sr. Management asked why it was possible for something like that to happen and some little IT guy in a corner somewhere said "it happened because we have way too many administrators with high level privileges to control effectively" So while the extent they have gone to may seem extreme, it is pertinent to this discussion to me that we are talking about here, how many highly privileged people are in our organizations and what risk is present from those already on the inside? This is the link he suggested we all should take a look at and consider- http://www.cert.org/insider_threat/ From: René de Haas [mailto:[email protected]] Sent: Friday, March 27, 2009 9:23 AM To: NT System Admin Issues Subject: RE: How many domain admins do you have? I wonder if in that case the cure isn't more work than the problem. Reÿé From: Free, Bob [mailto:[email protected]] Sent: Friday, March 27, 2009 5:20 PM To: NT System Admin Issues Subject: RE: How many domain admins do you have? It was a very thought provoking presentation but in the end, that's exactly what they were doing and it was actually the security guys who did the work if it wasn't something that had been automated and delegated. There has to be really a lot of process and testing wrapped around it. Of course this comes at a rather high cost because of the amount of work it takes to test and develop all that process. I asked him what they did if something went awry on a DC and the AD folks had to work on it and in that environment if it wasn't something that could be fixed extremely easily by a pre-defined process, they just did a flatten and reinstall. Since that process was all automated it took about 2 hrs from bare metal to a prod DC. He said they had just over 400 DCs and of them, ~140 were prod and all the rest were for all the testing that had to take place to make it all work. From: Brian Desmond [mailto:[email protected]] Sent: Thursday, March 26, 2009 11:12 AM To: NT System Admin Issues Subject: RE: How many domain admins do you have? Didn't see that one but I have worked with customers where they have a process to add and remove accounts on a temporary basis from those groups as needed. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ <http://www.briandesmond.com/ad4/> Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian <https://mvp.support.microsoft.com/profile/Brian> From: Free, Bob [mailto:[email protected]] Sent: Thursday, March 26, 2009 1:01 PM To: NT System Admin Issues Subject: RE: How many domain admins do you have? Saw a presentation yesterday at TEC by a fellow who went from an environment like that to 0 for a very large financial org. 0 people in DA/EA/SA, that was very eye-opening for me as I thought we had done well to get down to less than 4. From: James Rankin [mailto:[email protected]] Sent: Thursday, March 26, 2009 7:08 AM To: NT System Admin Issues Subject: Re: How many domain admins do you have? At one of my previous (outsourcing) jobs we had a policy of revoking all Domain Admin access and seeing who screamed. I would estimate less than 10% of them, on average, could justify the need. On one account, we reduced 157 Domain Admin accounts to 13, and that was in the NT4 days where delegating authority for certain tasks was a lot harder. 2009/3/26 David Lum <[email protected]> In our case six would be plenty - with delegation I don't even see us needing even that many, but we do have some folks whose egos would have a hard time having that permission removed, never mind the fact I could probably remove 90% of them from the group and they'd never notice... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Brian Desmond [mailto:[email protected]] Sent: Thursday, March 26, 2009 1:52 AM To: NT System Admin Issues Subject: RE: How many domain admins do you have? I usually go with a magic number of 6 as what I tell larger customers to keep it <=. Not sure what your org looks like though so kind of shooting in the dark. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ <http://www.briandesmond.com/ad4/> Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian <https://mvp.support.microsoft.com/profile/Brian> From: David Lum [mailto:[email protected]] Sent: Monday, March 23, 2009 10:47 AM To: NT System Admin Issues Subject: How many domain admins do you have? General poll: How many Systems Engineers do you guys have and how many of them are domain administrators? If you don't want to divulge specifics then percentages would work. For us we're at about 13 DA's / 13 SE's, although I think we should be closer to say, 4/13. Comments? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ________________________________ *** The information in this e-mail is confidential and intended solely for the individual or entity to whom it is addressed. If you have received this e-mail in error please notify the sender by return e-mail delete this e-mail and refrain from any disclosure or action based on the information. *** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
