Some orgs have this. I'm in one place where we have separate products for workstations, servers and mobile devices (i.e. three separate vendors) for just this reason. Not to mention that Exchange and SharePoint have yet another product (Forefront). The QA process for releasing daily updates though...
But I agree with your nitpick. If you have a single product, there is no point, unless the vendor releases separate updates for a desktop scanning product vs an Exchange aware mail scanning product (MS, for example, would have separate releases for MSE/Forefront client vs Forefront Security for Exchange). Cheers Ken From: Crawford, Scott [mailto:[email protected]] Sent: Friday, 28 May 2010 7:38 AM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? Not to nitpick, but I want to nit pick :) RE: "But no one uses the internet on the exchange server so we don't have AV on it" How is this relevant? If the AV on the workstation the DA is logged into didn't catch the virus, why would the save AV software on the Exchange server catch it? Or, are you suggesting that different AV be installed on various servers? From: Phil Garven [mailto:[email protected]] Sent: Thursday, May 27, 2010 4:06 PM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? +1 on separate accounts for admins Log on with a user account (maybe a local admin) and use "run as" to run your admin programs as your domain admin or equivalent account. If you log on as a domain admin and get a virus (happens to the best of us) then that virus is running as a domain admin and sending itself to your exchange server and remotely executing. "But no one uses the internet on the exchange server so we don't have AV on it" Regards, Phil Garven Sunbelt Software ________________________________ From: Free, Bob [mailto:[email protected]] Sent: Thursday, May 27, 2010 4:43 PM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? 2-3 is max for any environment IMO. Everything else should be dome with delegations. They must be your most proficient admins, not any old new hire. Check out some of joe Richard's rants about it, he ran a multi-nationl Global 5 firm with 3 EA /DA level admins who were, as he put it, all close enough to smack each other. (+ 1 manager who had the keys in a break glass/locked safe scenario) Personally, I am a fan of 3 accounts per admin for those enterprise level admins, 1 uberadminID (DA/EA), 1 regular adminID with appropriate delegations like all administrators should have and the usual day-to-day userID From: David Lum [mailto:[email protected]] Sent: Thursday, May 27, 2010 11:39 AM To: NT System Admin Issues Subject: What's your requirement to allow a user DA? What are your guy's prerequisites on someone having a Domain Admin account - assume a medium or large company and 4-5+ Systems Engineers. Previously here they've just had every new SE hire be domain admin, I'm thinking it's time to change that practice but I'll need some ammo and a plan before I have any hope of changing this. My thinking is along the line of "need to know what's going in this AD structure" as well as being proficient in all things AD, etc. Thoughts comments? I'm thinking there should only be 2-3 DA accounts max per domain max. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
